CVE Candidates as of 20030718

Candidates must be reviewed and
accepted by the CVE Editorial Board before they can be
added to the official CVE list. Therefore, these
candidates may be modified or even rejected in the
future. They are provided for use by individuals
who have a need for an early numbering scheme
for items that have not been fully reviewed by the
Editorial Board.CAN-1999-0001

Description: Denial of service in BSD-derived TCP/IP implementations, as described
in CERT CA-98-13.

Votes:

MODIFY(1) Frech
NOOP(2) Wall, Northcutt
REVIEWING(1) Christey

Voter Comments:

Christey> A Bugtraq posting indicates that the bug has to do with
"short packets with certain options set," so the description
should be modified accordingly.
But is this the same as CVE-1999-0052? That one is related
to nestea (CAN-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CAN-1999-0001 are in lines 388&446. So,
CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Frech> XF:teardrop(338)
This assignment was based solely on references to the CERT advisory.

Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
this suggestion, I will not be devastated.) :-)
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Christey>
CAN-2000-0415 may be a later rediscovery of this problem
for Outlook.
Dik> Sun bug 4163471,
Christey> ADDREF BID:125
Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2

Frech> XF:xlock-bo (also add)
As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
several Linii.
Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
login/scheme.
Levy> Notice that this xlock overflow is the same as in
CA-97.13. CA-97.21 simply is a reminder.
Christey> As pointed out by Elias, CA-97.21 states: "For more
information about vulnerabilities in xlock... see CA-97.13"
CA-97.13 = CVE-1999-0038.
This may also be a duplicate with CAN-1999-0306.
See exploits at:
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
Sun also has this problem, at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba

Christey> This should be split into three separate problems based on
the SNI advisory. But there's newer information to further
complicate things.
What do we do about this one? in 1997 or so, SNI did an
advisory on this problem. In early 2000, it was still
discovered to be present in some Linux systems. So an
SF-DISCOVERY content decision might say that this is a
long enough time between the two, so this should be recorded
separately. But they're the same codebase... so if we keep
them in the same entry, how do we make sure that this entry
reflects that some new information has been discovered?
The use of dot notation may help in this regard, to use one
dot for the original problem as discovered in 1997, and
another dot for the resurgence of the problem in 2000.
Baker> We should merge these.

Christey> This candidate should be SPLIT, since there are two separate
software flaws. One is a symlink race and the other is a
shell metacharacter problem.
Christey> The permissions part of this vulnerability appears to
overlap with CVE-1999-0353
Christey> SGI:20020802-01-I

Frech> Reference: XF:ibm-routed
Prosser> This vulnerability allows debug mode to be turned on which is
the problem. Should this be more specific in the description? This
one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
is in the SGI cluster, shouldn't these be cross-referenced as the same
vuln affects multiple OSes.
Christey> This appears to be subsumed by CVE-1999-0215

Frech> ERS (and other references, BTW) explicitly stipulate 'local and
remote'.
Reference: XF:irix-autofsd
Prosser> Include the SGI Alert as well since it is mentioned in the
description.
SGI Security Advisory 19981005-01-PX
Christey> DUPE CAN-1999-0210?
Christey> ADDREF CIAC:J-014
Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry

Frech> Reference: XF:ibm-libDtSvc
Prosser> The overflow is in the dtaction utility. Also affects
dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
specific.
Christey> Same Codebase as CAN-1999-0121, so the two entries should be
merged.

CAN-1999-0092

Phase: Proposed (19990623)Reference: ERS:ERS-SVA-E01-1997:006.1

Description: Various vulnerabilities in the AIX portmir command allows
local users to obtain root access.

Frech> (Accept XF reference.)
Our references do not mention hiding activities. This issue can crash the
SMTP server or execute arbitrary byte-code. Is there another reference
available?
Christey> Should this be merged with CAN-1999-0284, which is Sendmail
with SMTP HELO?
Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2

Description: A later variation on the Teardrop IP denial of service attack,
a.k.a. Teardrop-2

Votes:

ACCEPT(2) Frech, Wall
REVIEWING(1) Christey

Voter Comments:

Wall> Another reference is Microsoft Knowledge Base Q179129.
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Note that the hotfix name is teardrop2, but the keywords
included in the KB article specifically name bonk
(CAN-1999-0258) and boink.
Since teardrop2 was fixed in a slightly different version
(at least in a separate patch) than Teardrop, CD:SF-LOC
suggests keeping them separate.
Christey> Add period to the end of the description.

CAN-1999-0105

Phase: Proposed (19990726)

Description: finger allows recursive searches by using a long string of @ symbols.

Shostack> fingerd allows redirection
This is a larger modification, since there are two applications of the
vulnerability, one that I can finger anonymously, and the other that I
can finger bomb anonymously.
Frech> XF:finger-bomb
Christey> need more refs

Wall> - Although this is probably the phf hack.
Frech> XF:apache-dos
Christey> This sounds like the incident reported in:
NTBUGTRAQ:20000810 Apache Distributed Denial of Service
Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
BUGTRAQ: http://www.securityfocus.com/archive/1/10228
BUGTRAQ: http://www.securityfocus.com/archive/1/10516

Frech> XF:elm-filter2
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Landfield> with Frech modifications
Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory
Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
Need to make sure that this CERT advisory describes the right
problem, especially since the CERT advisory is dated December
18, 1995 and the original Bugtraq post was December 26, 1995.
Christey> BID:1802
URL:http://www.securityfocus.com/bid/1802
BID:1802 doesn't include the 1999 posting - does Security
Focus think that the 1999 post describes a different
vulnerability?
Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ?
Its references point to the December 26, 1995 BUgtraq post.
Also consider CIAC:G-36 and CERT:VB-95:10
Frech> DELREF:XF:elm-filter2(711)
ADDREF:XF:elm-filter(402)

Frech> Reference: XF:dtaction-bo
Reference: XF:sun-dtaction
Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
library in AIX 4.x, but reference for this Sun vulnerability should
only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
Bulletin
Christey> This is the Same Codebase as CAN-1999-0089, so the two entries
should be merged.
Frech> Replace sun-dtaction(732) with dtaction-bo(879)
Baker> Merge with 1999-0089

Frech> (keep current XF: reference, and add)
XF:hpux-sqwmodify
Christey> Perhaps this should be split, per SF-LOC.
Christey> CIAC:H-81
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
HP:HPSBUX9707-064 references CERT:CA-96.27
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
The original AUSCERT advisory says that the programs "create
files in an insecure manner" and "Exploit details involving
this vulnerability have been made publicly available." which
leads one to assume that the following original Bugtraq post
provides the details for a standard symlink problem:
BUGTRAQ:19961005 swinst,bug
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2

Meunier> Add "pptp invalid packet length in header" to distinguish from other
vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
discovered in the future.
Frech> XF:nt-ras-bo
ONLY IF reference is to MS:MS99-016
Christey> According to my mappings, this is not the MS:MS99-016 problem
referred to by Andre. However, I have yet to dig up a
source.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> This is too general to know which problem is being discussed.
More precise candidates should be created.
Christey> Consider adding BID:2111

Description: Denial of service in Qmail by specifying a large number of recipients
with the RCPT command.

Votes:

ACCEPT(4) Baker, Frech, Meunier, Hill
REVIEWING(1) Christey

Voter Comments:

Christey> DUPE CAN-1999-0418 and CAN-1999-0250?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> http://cr.yp.to/qmail/venema.html
Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
His page states this is not a qmail problem, rather it is a UNIX problem
that many apps can consume all available memory, and that the administrator
is responsible to set limits in the OS, rather than expect applications to
individually prevent memory exhaustion. CAN 1999-0250 does appear to
be a duplicate of this entry, based on the research I have done so far.
There were two different bugtraq postings, but the second one references
the first, stating that the new exploit uses perl instead of shell scripting
to accomplish the same attack/exploit.
Baker> http://www.securityfocus.com/archive/1/6970
http://www.securityfocus.com/archive/1/6969
http://cr.yp.to/qmail/venema.html
Should probably reject CAN-1999-0250, and add these references to this
Candidate.
Baker> http://www.securityfocus.com/bid/2237
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Christey> qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BID:2237
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."

Description: IIS 2.0 and 3.0 allows remote attackers to read the source code for
ASP pages by appending a . (dot) to the end of the URL.

Votes:

ACCEPT(4) Frech, Wall, Foat, Stracener
NOOP(2) Cole, Christey

Voter Comments:

Christey> This is the precursor to the problem that is identified in
CAN-1999-0253.
Christey> CIAC:H-48
URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
CHANGE> [Foat changed vote from NOOP to ACCEPT]

Prosser> but so far can find no reference to this one
Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
also affects IIS FTP server).
Christey> The references for XF:ftp-pwless are not specific enough,
e.g. in terms of version numbers. Perhaps this candidate
should be rejected due to insufficient information.

CAN-1999-0163

Phase: Proposed (19990714)Reference: XF:smtp-pipe

Description: In older versions of Sendmail, an attacker could use a pipe character
to execute root commands.

Shostack> there was a 'To: |' and a 'From: |' attack, which I
think are seperate.
Prosser> older vulnerability, but one additional reference is-
The Ultimate Sendmail Hole List by Markus Hübner @
bau2.uibk.ac.at/matic/buglist.htm
'|PROGRAM '
Christey> Description needs to be more specific to distinguish between
this and CAN-1999-0203, as alluded to by Adam Shostack

Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
Add ISS:Hidden Community String in SNMP Implementation
Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.
Christey> ADDREF BID:177
Christey> ISS:19981102 Hidden community string in SNMP implementation
http://xforce.iss.net/alerts/advise11.php
Change description to include "hidden"
Christey> XF:snmp-backdoor-access is missing.

CAN-1999-0187

Phase: Modified (19990805)Reference: SUN:00179

Description: ** REJECT ** Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist)
The rdist program in Solaris has some buffer overflows that allow
attackers to gain root access.

Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
(ref CERT 97-23) and various vendor bulletins. However both of these rdist
BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content
decision
Frech> XF:rdist-bo (error msg formation)
XF:rdist-bo2 (execute code)
XF:rdist-bo3 (execute user-created code)
XF:rdist-sept97 (root from local)
Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist), but as Mike and Andre noted, there
are multiple flaws here, so a RECAST may be necessary.
Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
Baker> Based on our new philosophy, this should be recast/merged or re-described.

CAN-1999-0193

Phase: Proposed (19990714)

Description: Denial of service in Ascend and 3com routers, which can be rebooted by
sending a zero length TCP option.

Frech> possibly XF:ascend-kill
I can't find a reference that lists both routers in the same reference.
Wall> Comment: There is a reference about the zero length TCP option in BugTraq on
Feb 5, 1999
and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038
mentions
vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052
mentions
3Com vulnerabilities, but not TCP. Too confusing withour better references.
Landfield> What are the references for this ? I cannot find a means to check it out.
CHANGE> [Frech changed vote from REVIEWING to NOOP]
Frech> Cannot reconcile to our database without further references.
Blake> I'm with Andre. I only remember and can find reference to the Ascend
issue. Do we have a refernce to the 3Coms? If not, that should be
removed from the description.
Baker> http://xforce.iss.net/static/614.php Misc Defensive Info
http://www.securityfocus.com/archive/1/5682 Misc Offensive Info
http://www.securityfocus.com/archive/1/5647 Misc Defensive Info
http://www.securityfocus.com/archive/1/5640 Misc Defensive Info
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
Frech> Other have mentioned this before, but it may be WU-FTP.
POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
access without anon FTP or a regular account?
POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
non-anon FTP account and gain root privs.
Christey> added MSKB reference
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> The MSKB article may have confused things even more. There
were reports of problems in a Windows-based FTP server called
WFTP (http://www.wftpd.com/) that is not a Microsft FTP
server. It's best to just kill this candidate where it
stands and start fresh.

Frech> XF:sendmail-alias-dos
Prosser> additional source
Bugtraq
"Re: SM 8.6.12"
http://www.securityfocus.com
Christey> The Bugtraq thread does not provide any proof, including a
comment by Eric Allman that he hadn't been provided any
details either.
See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
for the thread.
Christey> Change Bugtraq reference date to 19950708.

Frech> XF:sun-libnsl
Dik> Sun bug #4305859
Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info
http://www.securityfocus.com/archive/1/9749 Misc Defensive Info
Christey> I don't think this is the bug that everyone thinks it is.
This candidate came from CyberCop Scanner 2.4/2.5, which
only reports this as a DoS problem. If SUN:00172 is an
advisory for this, then it may be a duplicate of
CVE-1999-0055. There appears to be overlap with other
references as well. HOWEVER, this particular one deals with a
DoS in rpcbind - which isn't mentioned in the sources for
CVE-1999-0055.
Levy> BID 148

Description: Denial of service of inetd on Linux through SYN and RST packets.

Votes:

ACCEPT(1) Hill
MODIFY(2) Baker, Frech
RECAST(1) Meunier

Voter Comments:

Meunier> The location of the vulnerability, whether in the Linux kernel or the
application, is debatable. Any program making the same (reasonnable)
assumption is vulnerable, i.e., implements the same vulnerability:
"Assumption that TCP-three-way handshake is complete after calling Linux
kernel function accept(), which returns socket after getting SYN. Result
is process death by SIGPIPE"
Moreover, whether it results in DOS (to third parties) depends on the
process that made the assumption.
I think that the present entry should be split, one entry for every
application that implements the vulnerability (really describing threat
instances, which is what other people think about when we talk about
vulnerabilities), and one entry for the Linux kernel that allows the
vulnerability to happen.
Frech> XF:hp-inetd
XF:linux-inetd-dos
Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast

CAN-1999-0220

Phase: Proposed (19990728)

Description: Attackers can do a denial of service of IRC by crashing the server.

Votes:

NOOP(1) Northcutt
REJECT(2) Frech, Christey

Voter Comments:

Frech> Would reconsider if any references were available.
Christey> No references available, combined with extremely vague
description, equals REJECT.

CAN-1999-0222

Phase: Proposed (19990714)

Description: Denial of service in Cisco IOS web server allows attackers to reboot
the router using a long URL.

Shostack> I follow cisco announcements and problems pretty closely, and haven't
seen this. Source?
Frech> XF:cisco-web-crash
Christey> XF:cisco-web-crash has no additional references. I can't find
any references in Bugtraq or Cisco either. This bug is
supposedly tested by at least one security product, but that
product's database doesn't have any references either. So
a question becomes, how did it make it into at least two
security companies' databases?
Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
BID 1154
Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if
recast to reflect that "...after using a long url..." should be replaced
with
"...A defect in multiple releases of Cisco IOS software will cause a Cisco
router or switch to halt and reload if the IOS HTTP service is enabled,
browsing to "http://router-ip/anytext?/" is attempted, and the enable
password is supplied when requested. This defect can be exploited to produce
a denial of service (DoS) attack."
Then I can accept this and mark it as "Verfied by my Company". If it can't
be recast because this (long uri) is diffferent then our release (special
url construction).
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Elias Levy's suggested reference is CVE-2000-0380.
I don't think that Kevin's description is really addressing
this either. The lack of references and a specific
description make this candidate unusable, so it should be
rejected.

Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
Frech> XF:http-dotdot (not necessarily IIS?)
Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
problem.
Christey> This actually looks like XF:iis-dot-dot-crash(1638)
http://xforce.iss.net/static/1638.php
If so, include the version number (2.0)
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> Bill Wall intended to suggest Q155052, but the affected
IIS version there is 1.0; the effect is to read files,
so this sounds like a directory traversal problem,
instead of an inability to process certain strings.
As a result, this candidate is too general, since it could
apply to 2 different problems, so it should be REJECTed.
Christey> Consider adding BID:2218

Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
XF:smtp-vrfy-bo (many mail packages)
Northcutt> (There is no way I will have access to these systems)
Christey> Some sources report that VRFY and EXPN are both affected.

Frech> Unable to provide a match due to vague/insufficient description/references.
Possible matches are:
XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
XF:http-ncsa-longurl (highest probability)
Christey> CAN-1999-0235 is the one associated with XF:http-ncsa-longurl
More research is necessary for this one.
Baker> Since this has no references at all, and is vague and we have a
CAN for the most likely issue, we should kill this one

Frech> XF:http-ncsa-longurl
Christey> CAN-1999-0235 has the same ref's as CVE-1999-0267
Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
refer to the same problem. This should be rejected as 1999-0267 is the same problem.

Frech> Ambiguous description: need more detail. Possibly:
XF:linux-pop3d (mktemp() leads to reading e-mail)
Christey> At first glance this might look like CAN-1999-0123 or
CVE-1999-0125, however this particular candidate arises out
of a brief mention of the problem in a larger posting which
discusses CAN-1999-0123 (which may be the same bug as
CVE-1999-0125). See the following phrase in the Bugtraq
post: "one such example of this is in.pop3d"
However, the original source of this candidate's description
explicitly mentions shadowed passwords, though it has no
references to help out here.

Christey> This has no sources; neither does the original database that
this entry came from. It's a likely duplicate of
CAN-1999-0813.
Frech> I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
to 1.4.x and below and shows up two years later.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> If the reference I previously supplied is correct, then
it appears as if the poster modified the source using authorized
access to make it vulnerable. Modifying the source in this manner
does not qualify as being listed a vulnerability.
I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
to 1.4.x and below and shows up two years later.

Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
Remote Watch (the advisory uses two words, not one, for the
"Remote Watch" name)
ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
Prosser> agree that the advisory mentions two vulnerabilities in Remote
Watch, one being a socket connection and other with the showdisk utility
which seems to be a suid vulnerability. Never get much details on this
anywhere since the recommendation is to remove the program since it is
obsolete and superceded by later tools. Believe the biggest concern here is
to just not run the tool at all.
Christey> CIAC:H-16
Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
And possibly AUSCERT:AA-96.07 at
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
Include "remwatch" in the description to facilitate search.

Frech> XF:qmail-rcpt
Christey> DUPE CAN-1999-0418 and CAN-1999-0144?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading
through both bugtraq postings, the one that is referenced by 0144 is
based on a shell code exploit to cause memory exhaustion. The bugtraq
posting referenced by this entry refers explicitly to the prior
posting for 0144, and states that the same effect could be
accomplished by a perl exploit, which was then attached.
Baker> http://www.securityfocus.com/archive/1/6969 CAN-1999-0144
http://www.securityfocus.com/archive/1/6970 CAN-1999-0250
Both references should be added to CAN-1999-0144, and CAN-1999-0250
should likely be rejected.
CHANGE> [Baker changed vote from REVIEWING to REJECT]
Christey> XF:qmail-leng no longer exists; check with Andre to see if they
regarded it as a duplicate as well.
qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."

Christey> This is a problem that was introduced after patching a
previous dot bug with the iis-fix hotfix (see CAN-1999-0154).
Since the hotfix introduced the problem, this should be
treated as a seaprate issue.
Wall> Agree with the comment.
LeBlanc> - this one is so old, I don't remember it at all and can't verify or
deny the issue. If you can find some documentation that says we fixed it (KB
article, hotfix, something), then I would change this to ACCEPT
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1814
URL:http://www.securityfocus.com/bid/1814

Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.

Frech> XF:irc-bo
Christey> This is too general and doesn't have any references. The
XF reference doesn't appear toe xist any more.
Perhaps this reference would help:
BUGTRAQ:19970701 ircd buffer overflow
Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.

Frech> XF:nestea-linux-dos
Christey> Not sure how many separate "instances" of Teardrop
and its ilk. Also see comments on CAN-1999-0001.
See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
Is CAN-1999-0001 the same as CVE-1999-0052? That one is related
to nestea (CAN-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CAN-1999-0001 are in lines 388&446. So,
CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Also see BUGTRAQ:19990909 CISCO and nestea.
Finally, note that there is no fundamental difference between
nestea and nestea2/nestea-v2; they are different ports that
exploit the same problem.
The original nestea advisory is at
http://www.technotronic.com/rhino9/advisories/06.htm
but notice that the suggested fix is in line 375 of
ip_fragment.c, not ip_input.c.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> BUGTRAQ:19980501 nestea does other things
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
Nestea source code is in
MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html

Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
posting), but may be multiple codebases since several
Real Audio servers are affected.
Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
See CVE-1999-0896
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:realvideo-telnet-dos

CAN-1999-0282

Phase: Proposed (19990623)Reference: CERT:CA-95.12.sun.loadmodule.vul

Description: Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows

Frech> XF:sun-loadmodule
XF:sun-modload (CERT CA-93.18 very old!)
Prosser> Believe the reference given, 95-12, is referencing a later
loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an
earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the
same as the HP patches are 100448-02 for the 93 loadmodule/modload
vulnerability and 100448-03 for the 95 loadmodule vulnerability which
normally indicated a patch update. Looks like the original patch either
didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell
much beyond that and this is my opinion only as have no way to check it.
Which one is this CVE referencing? I accept both.
Dik> There are three similar Sun bug ids associated with the patches.
1076118 loadmodule has a security vulnerability
1148753 loadmodule has a security vulnerability
1222192 loadmodule has a security vulnerability
as well as:
1137491
Ancient stuff.
Christey> Add period to the end of the description.

Wall> Acknowledged by vendor at
http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/7260 Misc Defensive Info
http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
Christey> BID:1891
URL:http://www.securityfocus.com/bid/1891
Christey> Add version number (1.1 beta) and details of attack (appending
a . or a \)
The Sun URL referenced by Dave Baker no longer exists, so I
wasn't able to verify that it addressed the problem described
in the Bugtraq post. This might not even be Sun's
"Java Web Server," as CAN-2001-0186 describes some product
called "Free Java Web Server"
Dik> There appears to be some confusion.
The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
There are other bugs that give access and that require a configuration
change.
http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
Christey> Need to make sure to create CAN's for the other bugs,
as documented in:
NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
The reported bugs are:
1) file read by appending %20
2) Directly call /servlet/file
URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
#2 is explicitly mentioned in the Sun advisory for
CAN-1999-0283.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:javawebserver-cgi-source(5383)

CAN-1999-0284

Phase: Proposed (19990623)Reference: XF:smtp-helo-bo

Description: Denial of service to NT mail servers including Ipswitch, Mdaemon, and
Exchange through a buffer overflow in the SMTP HELO command.

Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
XF:mdaemon-helo-bo
XF:lotus-notes-helo-crash
XF:slmail-helo-overflow
XF:smtp-helo-bo (mentions several products)
XF:smtp-exchangedos
Levy> - Need one per software. Each one should be its own
vulnerability.
Ozancin> => Windows NT is correct
Christey> These are probably multiple codebases, so we'll need to use
dot notation. Also need to see if this should be merged
with CAN-1999-0098 (Sendmail SMTP HELO).

CAN-1999-0285

Phase: Proposed (19990630)

Description: Denial of service in telnet from the Windows NT Resource Kit, by
opening then immediately closing a connection.

Votes:

ACCEPT(1) Hill
NOOP(1) Wall
REJECT(2) Frech, Christey

Voter Comments:

Christey> No references, no information.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> No references; closest documented match is with
CVE-2001-0346, but that's for Windows 2000.

CAN-1999-0286

Phase: Proposed (19990714)

Description: In some NT web servers, appending a space at the end of a URL may
allow attackers to read source code for active pages.

Wall> In some NT web servers, appending a dot at the end of a URL may
allows attackers to read source code for active pages.
Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
in Browser"
Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
Christey> Q163485 does not refer to a space, it refers to a dot.
However, I don't have other references.
Reading source code with a dot appended is in CAN-1999-0154,
which will be proposed. A subsequent bug similar to the
dot bug is CAN-1999-0253.
Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
BID 273
Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> BID articles)

Shostack> allows file reading
Frech> XF:http-cgi-webcom-guestbook
Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CAN-1999-0467. We will refer to the "previous report" as
CAN-1999-0287, which could be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey> BID:2024

CAN-1999-0298

Phase: Modified (20000524-01)Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetmeReference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

Christey> ADDREF BID:1441
URL:http://www.securityfocus.com/bid/1441
Dik> If you run with "-ypset", then you're always insecure.
With ypsetme, only root on the local host
can run ypset in Solaris 2.x+.
Probably true for SunOS 4, hence my vote.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:ypbind-ypset-root
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
and not all files ending in .2
Both releases are not vulnerable in the default configuration (both
disabllow ypset by default which prevents this problem from occurring)

Prosser> This is another of those with multiple affected OSs.
Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
the same problem as in CERT:CA-97.13, which is CVE-1999-0038.

Prosser> only ref I can find is an old SOD exploit on
www.outpost9.com
Christey> MERGE CAN-1999-0336 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.
See the original post:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org

Christey> DUPE CAN-1999-0845?
Also, ADDREF XF:unixware-su-username-bo
A report summary by Aleph One states that nobody was able to
confirm this problem on any Linux distribution.
Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these.
Sounds like the same bug however...
Christey> XF:su-bo no longer seems to exist.
How about XF:linux-subo(734) ?
http://xforce.iss.net/static/734.php
BID:475 also seems to describe the same problem
(http://www.securityfocus.com/bid/475) in which case,
vsyslog is blamed in:
BUGTRAQ:19971220 Linux vsyslog() overflow
http://www.securityfocus.com/archive/1/8274

Shostack> this is a high cardinality item
Prosser> needs to be more specific.
Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
duplicate)
Description (from xfdb): Some versions of Internet Explorer for Windows
contain a vulnerability that may crash the broswer when a malicious web site
contains a certain kind of URL (that begins with "mk://") with more
characters than the browser supports.
Christey> The description is too vague.
LeBlanc> too vague
Christey> Add period to the end of the description.

Prosser> same as CAN-1999-0307, only ref I can find is an old SOD
exploit on www.outpost9.com
Christey> MERGE CAN-1999-0307 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.

CAN-1999-0345

Phase: Proposed (19990728)

Description: Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.

Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
Windows NT systems.
Reference: Q154174.
Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
It is a modified teardrop 2 attack.
Frech> XF:nt-ssping
ADDREF XF:ping-death
ADDREF XF:teardrop-mod
ADDREF XF:mpeix-echo-request-dos
Christey> I can't tell whether the Jolt exploit at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
is exploiting any different flaw than teardrop does.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> Jolt (original) is basically just a fragmented oversized ICMP that
kills Win boxes ala Ping of Death.
Teardrop is altering the offset in fragmented tcp packets so that the
end of subsequent fragments is inside first packet...
Teardrop 2 is UDP packets, if I remember right.
Seems like Jolt (original, not jolt 2) is just exploit code that
creates a ping of death (CVE 1999-0128)
Levy> I tend to agree with Baker.
CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
thing as ping of death - POD was an oversized ICMP packet, Jolt froze
Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
but each of these is a distinct vulnerability, affected a discrete group
of systems, and should have distinct CVE numbers. CVE entries should be
precise as to what the problem is.
Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has
characteristics of Ping of Death AND teardrop, but it doesn't do
either exactly. Moreover, it sends a truncated IP fragment. I
disagree with Armstrong; jolt uses overlapping fragments. It's not a
simple ping of death either. It may be that the author's intent was
to construct a "super attack" somehow combining elements of other
vulnerabilities to try to make it more potent. In any case it
succeeded in confusing the CVE board :-).
I notice that Jolt uses echo replies (type 0) instead of echo
requests (to get past firewalls?). Jolt is peculiar in that it also
sends numerous overlapping fragments. The "Pascal Simulator" :-) says
it sends:
- 172 fragments of length 400 with offset starting at 5120 and
increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
which eventually results in sending fragments inside an already
covered area once ((n* 380) >> 3) is greater than 5120, which occurs
when n is reaches 108. This would look a bit like TearDrop if
fragments were reassembled on-the-fly.
- 1 fragment such that the total length of all the fragments
is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
comment about 65538 must be wrong). The last packet is size 418
according to the IP header but the buffer is of size 400. The sendto
takes as argument the size of the buffer so a truncated packet is
sent.
So, I am not sure if the problem is because the last packet
doesn't extend to the payload it says it has or because the total size
of all fragments is greater than 65535. The author says it may take
more than one sending, so perhaps this has to do with an incorrect
error handling and recovery. One would need to experiment and isolate
each of those characteristics and test them independently. Inasmuch
as each of those things is likely a different vulnerability, then I
agree with Leblanc that this entry should be split. I'll try that if
I ever get bored. Jolt 2 should also have a different entry (see
below).
Jolt 2 runs in an infinite loop, sending the same fragmented
IP packet, which can pretend to be "ICMP" or "UDP" data; however this
is meaningless, as it's just a late fragment of an IP packet. The
attack works only as long as packets are sent. According to
http://www.securityfocus.com/archive/1/62170 the packets are
truncated, and would overflow over the 65535 byte limit, which is
similar to Jolt. Note that Jolt does send that much data whereas
jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it
has weaker consequences, I believe that it's a different
vulnerability.
"Jolt 2 vulnerability causes a temporary denial-of-service in
Windows-type OSes" would be a title for it.

Description: Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution
of Visual Basic programs to the IE client through the Word 97
template, which doesn't warn the user that the template contains
executable content. Also applies to Outlook when the client views a
malicious email message.

Christey> I can't find the original Bugtraq posting (it appears that
mnemonix discovered the problem).
LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
BUGTRAQ posting we can't find could be anything.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type
THis is the URL for the Bugtraq posting. It was cross posted to
NT Bugtraq as well, but identical text. It was Mnemonix...
Christey> BID:1811
URL:http://www.securityfocus.com/bid/1811
Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
Also standardize NTBUGTRAQ reference title.
Christey> Add "uploadn.asp" to the description.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:siteserver-user-dir-permissions(5384)

CAN-1999-0361

Phase: Proposed (19990728)Reference: BUGTRAQ:Jan29,1999

Description: NetWare version of LaserFiche stores usernames and passwords
unencrypted, and allows administrative changes without logging.

Frech> Reference: XF:sun-man
Christey> ADDREF CIAC:J-028
Is the Linux man symlink problem the same as the one for Sun?
See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
Also see BID:305
Dik> sun bug 4154565

Christey> Is this the same as CVE-1999-0373? They both have the same
X-Force reference.
BID:342 suggests that there are two.
http://www.debian.org/security/1999/19990215a suggests
that there are two. However, CVE-1999-0373 is written up in
a fashion that is too general; and both XF:linux-super-bo and
XF:linux-super-logging-bo refer to CVE-1999-0373.
CVE-1999-0373 may need to be split.
Frech> From what I can surmise, ISS released the original advisory (attached to
linux-super-bo), and Sekure SDI expanded on it by releasing another related
overflow in syslog (which is linux-super-logging-bo).
When I was originally assigning these issues, I placed both XF references
and the ISS advisory on the -0373 candidate, since there was nothing else
available. Based on the information above, I'd request that
XF:linux-super-logging-bo be removed from CVE-1999-0373.
Christey> Given Andre's feedback, these are different issues.
CVE-1999-0373 does not need to be split because the ISS
reference is sufficient to distinguish that CVE from this
candidate; however, the CVE-1999-0373 description should
probably be modified slightly.
Bishop> (as indicated by Christey)
CHANGE> [Cole changed vote from NOOP to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are 2 bugs, as confirmed by the super author at:
BUGTRAQ:19990226 Buffer Overflow in Super (new)
http://www.securityfocus.com/archive/1/12713
BID:397 also seems to cover this one, and it may cover
CVE-1999-0373 as well.

Description: Buffer overflow in the bootp server in the Debian Linux netstd
package.

Votes:

ACCEPT(2) Ozancin, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798? CAN-1999-0389
has January 1999 dates associated with it, while CAN-1999-0798
was reported in late December.
Also, is this the same line of code as CVE-1999-0914? Both are in
the netstd package, it could look like a library problem.
However, deep in the changelog in the
netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
the following entry:
+netstd (3.07-7slink.1) frozen; urgency=high
+
+ * bootpd: Applied patch from Redhat as well as a fix for the overflow in
+ report() (fixes #30675).
+ * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
+ bugs.
+
+ -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100
This tells me that two separate bugs are involved.
Note that Red Hat posted *some* fix for *some* bootp problem
in June 1998. See:
http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
Frech> XF:debian-netstd-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to REVIEWING]
Christey> The fix information for BID:324 suggests that there are two
overflows, one of which is in handle_request (bootpd.c) and is
likely related to a file name; but there is another issue in
report (report.c) which also looks like a straightforward
overflow, which would suggest that this is not a duplicate of
CAN-1999-0798 or CVE-1999-0799.
Note: see comments for CAN-1999-0798 which explain how that
candidate is not related to CAN-1999-0799.

Description: DPEC Online Courseware allows an attacker to change another user's
password without knowing the original password.

Votes:

NOOP(1) Christey
REJECT(1) Frech

Voter Comments:

Frech> If I understand the issue, this HIGHCARD involves insecure web programming.
If I don't understand, mark this as my first NOOP.
Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
ADDREF BID:565
URL:http://www.securityfocus.com/vdb/bottom.html?vid=565

Description: The DCC server command in the Mirc 5.5 client doesn't filter
characters from file names properly, allowing remote attackers to
place a malicious file in a different location, possibly allowing the
attacker to execute commands.

Description: Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p,
including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a
symlink attack, allowing a local user to gain root access.

Description: When the Microsoft SMTP service attempts to send a message to a server
and receives a 4xx error code, it quickly and repeatedly attempts to
redeliver the message, causing a denial of service.

Votes:

MODIFY(2) Frech, LeBlanc
REVIEWING(1) Christey

Voter Comments:

Frech> XF:smtp-4xx-error-dos
LeBlanc> - if we can find a KB or something that shows that this wasn't just
user error, I'd vote ACCEPT.
Christey> David Lemson, Microsoft SMTP Service Program Manager,
posted a followup that said "We have confirmed this as a
problem..."
http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2

Description: Eudora 4.1 allows remote attackers to perform a denial of service by
sending attachments with long file names.

Votes:

ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
reference states: "Both the Win 95 and Win NT versions, along with the 4.2
beta of Eudora are affected."
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Is this a duplicate/subsumed by CAN-1999-0004?

Description: XFree86 xfs command is vulnerable to a symlink attack, allowing
local users to create files in restricted directories, possibly
allowing them to gain privileges or cause a denial of service.

Votes:

MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Frech> XF:xfree86-xfs-symlink-dos
Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433
deals with a symlink attack on one file (/tmp/.X11-unix),
while xfs (this candidate) deals with /tmp/.font-unix
XF:xfree86-xfs-symlink-dos doesn't exist.
Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
Note: Debian's advisory says that this is not a problem for Debian.

CAN-1999-0435

Phase: Proposed (19990623)Reference: HP:HPSBUX9903-096

Description: MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain
privileges through SAM.

Description: In IIS, an attacker could determine a real path using a request for a
non-existent URL that would be interpreted by Perl (perl.exe) .

Votes:

ACCEPT(2) Ozancin, Wall
NOOP(1) Christey
REJECT(2) Frech, LeBlanc

Voter Comments:

Frech> Can't find in database.
Christey> This looks like another discovery of CAN-2000-0071
LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
and it does not repro -
GET /bogus.pl HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 05 Oct 2000 21:04:20 GMT
Content-Length: 3243
Content-Type: text/html
No path is returned whatsoever. This may have been a problem on some version
of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
Let's try and figure out what version had the problem, whether it is
intrinsic to IIS or the result of adding a 3rd party implementation of perl,
and when it got fixed, then we can try again.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
search (it's used by CGI scanners and in the original example)

Description: A service or application has a backdoor password that was placed there
by the developer.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Frech

Voter Comments:

Frech> Much too broad. Also may be HIGHCARD (or will be in the future).
Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance.

Frech> XF:cisco-ident(2289)
ADDREF BUGTRAQ:19990118 Remote Cisco Identification
In description, probably better to use "Cisco" as product/company name.
Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.
Christey> There may be a slight abstraction problem here, e.g. look
at the candidate for queso/nmap; also see followup Bugtraq post
from "Basement Research" on 19990120 which says that there are
many other features in Cisco products that allow remote
identification.

CAN-1999-0454

Phase: Proposed (19990728)

Description: A remote attacker can sometimes identify the operating system of a
host based on how it reacts to some IP or ICMP packets, using a tool
such as nmap or queso.

Votes:

MODIFY(1) Frech
NOOP(2) Wall, Christey
REJECT(1) Northcutt

Voter Comments:

Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
ways to accomplish this. To pursue making the world signature free
is as much a vulnerability as having signatures, nay more.
Frech> XF:decod-nmap(2053)
XF:decod-queso(2048)
Christey> Add "fingerprinting" to facilitate search.
Some references:
MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
BUGTRAQ:19990222 Preventing remote OS detection
http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
BUGTRAQ:20000609 p0f - passive os fingerprinting tool
http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2

Description: The Expression Evaluator sample application in ColdFusion allows
remote attackers to read or delete files on the server via
exprcalc.cfm, which does not restrict access to the server properly.

Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
make application plural since there are three sample applications
(openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
Since there are 3 separate "executables" with the same
(or similar) problem, we need to make sure that CD:SF-EXEC
determines what to do here. There is evidence that some
of these .cfm scripts have an "include" file, and if so,
then CD:SF-LOC says that we shouldn't make separate entries
for each of these scripts. On the other hand, the initial
L0pht discovery didn't include all 3 of these scripts, and
as far as I can tell, Allaire had patched the first problem
before the others were discovered. So, CD:DISCOVERY-DATE
may argue that we should split these because the problems
were discovered and patched at different times.
In any case, this candidate can not be accepted until the
Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
and CD:DISCOVERY-DATE content decisions.

CAN-1999-0459

Phase: Proposed (19990728)Reference: XF:linux-milo-halt

Description: Local users can perform a denial of service in Alpha Linux, using MILO
to force a reboot.

Description: suidperl in Linux Perl does not check the nosuid mount option on file
systems, allowing local users to gain root access by placing a setuid
script in a mountable file system, e.g. a CD-ROM or floppy disk.

Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CAN-1999-0467. We will refer to the "previous report" as
CAN-1999-0287, which can be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey>
The CD:SF-EXEC content decision also applies here. We have 2
programs, wguest.exe and rguest.exe, which appear to have the
same problem. CD:SF-EXEC needs to be accepted by the Editorial
Board before this candidate can be converted into a CVE
entry. When finalized, CD:SF-EXEC will decide whether
this candidate should be split or not.
Christey> BID:2024

Description: The Expression Evaluator in the ColdFusion Application Server allows a
remote attacker to upload files to the server via openfile.cfm, which
does not restrict access to the server properly.

Votes:

ACCEPT(3) Frech, Ozancin, Christey
REJECT(1) Wall

Voter Comments:

Wall> Duplicate of 0455
Christey> CAN-1999-0477 and CAN-1999-0455 were discovered at different
times. Also, the attack was different. So "Same Attack" and
"Same Time of Discovery" dictate that these should remain
separate.

Description: Internet Explorer 4.0 and 5.0 allows a remote attacker to execute
security scripts in a different security context using malicious
URLs, a variant of the "cross frame" vulnerability.

Votes:

ACCEPT(1) Landfield
MODIFY(2) Frech, Wall
NOOP(2) Ozancin, Christey

Voter Comments:

Frech> XF:ie-mshtml-crossframe
Wall> (source: MSKB:Q168485)
Christey> CAN-1999-0469 appears to be a duplicate; prefer this one over
that one, since this one has an MS advisory. Confirm with
Microsoft that these are really duplicates.
Also review CVE-1999-0487, which appears to be a similar
bug.

Description: MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste
a file name into the file upload intrinsic control, a variant of
"untrusted scripted paste" as described in MS:MS98-013.

Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
clipboard in either.
I cannot proceed on this one without further clarification.
Wall> (source: MS:MS99-012)
Prosser> agree with Andre here. The Untrusted Scripted paste
vulnerability was originally addressed in MS98-015 and it is in the file
upload intrinsic control in which an attacker can paste the name of a file
on the target's drive in the control and a form submission would then send
that file from the attacked machine to the remote web site. This one has
nothing to do with the clipboard. What the advisory mentioned here,
MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
the original Untrusted Scripted Paste issue and a variant, as well as the
two Cross-Frame variants and a privacy issue in IMG SRC.
The vulnerability that allowed reading of a user's clipboard is the Forms
2.0 Active X control vulnerability discussed in MS99-01
Christey> The advisory should have been listed as MS99-012.
CVE-1999-0468 describes the untrusted scripted paste problem
in MS99-012.
Frech> Pending response to guidance request. 12/6/01.

Shostack> isn't that what finger is supposed to do?
Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
usernames on the target system based on its responses to finger queries.
Christey> CHANGEREF BUGTRAQ [canonicalize]
BUGTRAQ:19990423 Ffingerd privacy issues
http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
Here's the nature of the problem.
(1) FFingerd allows users to decide not to be fingered,
printing a message "That user does not want to be fingered"
(2) If the fingered user does not exist, then FFingerd's
intended default is to print that the user does not
want to be fingered; however, the error message has a
period at the end.
Thus, ffingerd can allow someone to determine who valid users
on the server are, *in spite of* the intended functionality of
ffingerd itself. Thus this exposure should be viewed in light
of the intended functionality of the application, as opposed
to the common usage of the finger protocol in general.
Also, the vendor posted a followup and said that a patch was
available. See:
http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/13422 Misc Defensive Info
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ffinger-user-info(5393)

CAN-1999-0495

Phase: Proposed (19990728)

Description: A remote attacker can gain access to a file system using .. (dot dot)
when accessing SMB shares.

Frech> Change wording to 'Windows NT.'
XF:snmp-netbios
LeBlanc> Share info can be obtained via SNMP queries, but I question
whether this is a vulnerability. The system can be configured not to do
this, and one may argue that SNMP itself is an insecure configuration.
Furthermore, the share information isn't published via registry keys -
the description could refer to more than one actual issue. SNMP is meant
to allow people to obtain information about systems. I'm willing to
discuss this with the rest of the board.

Frech> Guessable falls into the class of CAN-1999-0502, since I can guess a
default, null, etc. password.
Suggest changing to something like "has an existing non-default password
that can be guessed."
I'm also including default passwords in this entry.
In that vein, we show the following references:
XF:user-password
XF:passwd-username
XF:default-unix-sync
XF:default-unix-4dgifts
XF:default-unix-bin
XF:default-unix-daemon
XF:default-unix-lp
XF:default-unix-me
XF:default-unix-nuucp
XF:default-unix-root
XF:default-unix-toor
XF:default-unix-tour
XF:default-unix-tty
XF:default-unix-uucp
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
CHANGE> [Meunier changed vote from ACCEPT to RECAST]
Meunier> This relates only to account password technology, so this candidate is
independent of the operating system, application, web site or other
application of this technology. The appropriate (natural) level of
abstraction is therefore without specifying that it is for UNIX.
Change the description to "An account has a guessable password other
than default, null, blank." This should satisfy Andre's objection.
This Candidate should be merged with any candidate relating to
account password technology where "Unix" in the original description
can be replaced by something else.

CAN-1999-0502

Phase: Proposed (19990714)

Description: A Unix account has a default, null, blank, or missing password.

Frech> XF:passwd-blank
XF:no-pass
XF:dict
XF:sgi-accounts
XF:linux-caldera-lisa
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.

CAN-1999-0503

Phase: Proposed (19990714)

Description: A Windows NT local user or administrator account has a guessable
password.

Frech> Note: I am assuming that this entry includes Windows 2000 accounts and
machine/service accounts listed in User Manager.
XF:nt-guess-admin
XF:nt-guess-user
XF:nt-guess-guest
XF:nt-guessed-operpwd
XF:nt-guessed-powerwd
XF:nt-guessed-disabled
XF:nt-guessed-backup
XF:nt-guessed-acctoper-pwd
XF:nt-adminuserpw
XF:nt-guestuserpw
XF:nt-accountuserpw
XF:nt-operator-userpw
XF:nt-service-user-pwd
XF:nt-server-oper-user-pwd
XF:nt-power-user-pwd
XF:nt-backup-operator-userpwd
XF:nt-disabled-account-userpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.

CAN-1999-0504

Phase: Proposed (19990714)

Description: A Windows NT local user or administrator account has a default, null,
blank, or missing password.

Frech> XF:nt-guestblankpw
XF:nt-adminblankpw
XF:nt-adminnopw
XF:nt-usernopw
XF:nt-guestnopw
XF:nt-accountblankpw
XF:nt-nopw
XF:nt-operator-blankpwd
XF:nt-server-oper-blank-pwd
XF:nt-power-user-blankpwd
XF:nt-backup-operator-blankpwd
XF:nt-disabled-account-blankpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.

CAN-1999-0505

Phase: Proposed (19990714)

Description: A Windows NT domain user or administrator account has a guessable
password.

Description: Perl, sh, csh, or other shell interpreters are installed in the
cgi-bin directory on a WWW site, which allows remote attackers to
execute arbitrary commands.

Votes:

ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Christey> What is the right level of abstraction to use here? Should
we combine all possible interpreters into a single entry,
or have a different entry for each one? I've often seen
Perl separated from other interpreters - is it included
by default in some Windows web server configurations?
Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search.
Frech> XF:http-cgi-vuln(146)

Frech> XF:smtp-sendmail-relay(210)
XF:ntmail-relay(2257)
XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
XF:smtp-relay-uucp(3470)
XF:sco-sendmail-spam(4342)
XF:sco-openserver-mmdf-spam(4343)
XF:lotus-domino-smtp-mail-relay(6591)
XF:win2k-smtp-mail-relay(6803)
XF:cobalt-poprelayd-mail-relay(6806)
Candidate implicitly may refer to relaying settings enabled by default, or
the bypass/circumvention of relaying. Both interpretations were used in
assigning this candidate.
Christey> The intention of this candidate is to cover configurations in
which the admin has explicitly enabled relaying. Other cases
in which the application *intends* to prvent relaying, but
there is some specific input that bypasses/tricks it, count
as vulnerabilities (or exposures?) and as such would be
assigned different numbers.
http://www.sendmail.org/~ca/email/spam.html seems like a good
general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt
Christey> I changed the description to make it more clear that the issue
is that of explicit configuration, as opposed to being the
result of a vulnerability.

CAN-1999-0515

Phase: Proposed (19990728)

Description: An unrestricted remote trust relationship for Unix systems has been
set up, e.g. by using a + sign in /etc/hosts.equiv.

Frech> XF:snmp-get-guess
XF:snmp-set-guess
XF:sol-hidden-commstr
XF:hpov-hidden-snmp-comm
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.

CAN-1999-0517

Phase: Proposed (19990714)

Description: An SNMP community name is the default (e.g. public), null, or
missing.

Frech> XF:nt-snmp
XF:snmp-comm
XF:snmp-set-any
XF:snmp-get-public
XF:snmp-set-public
XF:snmp-get-any
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Christey> Consider adding BID:2112

Northcutt> I think we need to enumerate the shares and or the access control
Christey> One question is, what is "inappropriate"? It's probably
very dependent on the policy of the enterprise on which
this is found. And should writable shares be different
from readable shares? (Or file systems, mail spools, etc.)
Yes, the impact may be different, but we could have a
large number of entries for each possible type of access.
A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.
LeBlanc> Unacceptably vague - agree with Christey's comments.
Frech> associated to:
XF:nt-netbios-everyoneaccess(1)
XF:nt-netbios-guestaccess(2)
XF:nt-netbios-allaccess(3)
XF:nt-netbios-open(15)
XF:nt-netbios-write(19)
XF:nt-netbios-shareguest(20)
XF:nt-writable-netbios(26)
XF:nb-rootshare(393)
XF:decod-smb-password-empty(2358)

Frech> XF:nis-dom
Christey> Consider http://www.cert.org/advisories/CA-1992-13.html
as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch

CAN-1999-0522

Phase: Proposed (19990803)Reference: CERT:CA-96.10

Description: The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.

Votes:

ACCEPT(1) Wall
NOOP(1) Christey
RECAST(1) Northcutt

Voter Comments:

Northcutt> Why not say world readable, this is what you do further down in the
file (world exportable in CAN-1999-0554)
Christey> ADDREF AUSCERT:AA-96.02

CAN-1999-0523

Phase: Proposed (19990726)

Description: ICMP echo (ping) is allowed from arbitrary hosts.

Votes:

MODIFY(1) Meunier
REJECT(2) Northcutt, Frech

Voter Comments:

Northcutt> (Though I sympathize with this one :)
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> Ping is a utility that can be run on demand; ICMP echo is a
message
type. As currently worded, this candidate seems as if an arbitrary
host
is vulnerable because it is capable of running an arbitrary program
or
function (in this case, ping/ICMP echo). There are many
programs/functions that
'shouldn't' be on a computer, from a security admin's perspective.
Even if this
were a vulnerability, it would be impacted by CD-HIGHCARD.
Meunier> Every ICMP message type presents a vulnerability or an
exposure, if access is not controlled. By that I mean not only those
in RFC 792, but also those in RFC 1256, 950, and more. I think that
the description should be changed to "ICMP messages are acted upon
without any access control". ICMP is an error and debugging protocol.
We complain about vendors leaving testing backdoors in their programs.
ICMP is the equivalent for TCP/IP. ICMP should be in the dog house,
unless you are trying to troubleshoot something. MTU discovery is
just a performance tweak -- it's not necessary. I don't know of any
ICMP message type that is necessary if the network is functional.
Limited logging of ICMP messages could be useful, but acting upon them
and allowing the modification of routing tables, the behavior of the
TCP/IP stack, etc... without any form of authentication is just crazy.

CAN-1999-0524

Phase: Proposed (19990726)

Description: ICMP information such as netmask and timestamp is allowed from
arbitrary hosts.

Votes:

MODIFY(2) Frech, Meunier
REJECT(1) Northcutt

Voter Comments:

Frech> XF:icmp-timestamp
XF:icmp-netmask
Meunier> If this is not merged with 1999-0523 as I commented for that
CVE, then the description should be changed to "ICMP messages of types
13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
and reply) are acted upon without any access control". It's a more
precise and correct language. I believe that this is a valid CVE
entry (it's a common source of vulnerabilities or exposures) even
though I see that the inferred action was "reject". Knowing the time
of a host also allows attacks against random number generators that
are seeded with the current time. I want to push to have it accepted.

CAN-1999-0525

Phase: Proposed (19990726)

Description: IP traceroute is allowed from arbitrary hosts.

Votes:

MODIFY(1) Frech
REJECT(1) Northcutt

Voter Comments:

Frech> XF:traceroute

CAN-1999-0527

Phase: Proposed (19990803)

Description: The permissions for system-critical data in an anonymous FTP account
are inappropriate. For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.

Votes:

ACCEPT(3) Northcutt, Baker, Wall
MODIFY(1) Frech

Voter Comments:

Northcutt> That that starts to get specific :)
Frech> ftp-writable-directory(6253)
ftp-write(53)
"writeable" in the description should be "writable."

CAN-1999-0528

Phase: Proposed (19990726)

Description: A router or firewall forwards external packets that claim to come from
inside the network that the router/firewall is in front of.

Northcutt> I have seen ISPs "assign" private addresses within their domain
Meunier> A border router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc, outside of their area of validity.
CHANGE> [Frech changed vote from REVIEWING to ACCEPT]

CAN-1999-0530

Phase: Proposed (19990728)

Description: A system is operating in "promiscuous" mode which allows it to perform
packet sniffing.

Northcutt> inappropriate implies there is appropriate. As a guy who has been
monitoring
networks for years I have deep reservations about justiying the existance
of any fixed cleartext password. For appropriate to exist, some "we" would
have to establish some criteria for appropriate passwords.
Baker> Perhaps this could be re-worded a bit. The CVE CAN-1999-00582
specifies "...settings for lockouts". To remain consistent with the
other, maybe it should specify "...settings for passwords" I think
most people would agree that passwords should be at least 8
characters; contain letters (upper and lowercase), numbers and at
least one non-alphanumeric; should only be good a limited time 30-90
days; and should not contain character combinations from user's prior
2 or 3 passwords.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for passwords, e.g. passwords of sufficient
length, periodic required password changes, or new password uniqueness
Ozancin> What is appropriate?
Frech> XF:nt-autologonpwd
XF:nt-pwlen
XF:nt-maxage
XF:nt-minage
XF:nt-pw-history
XF:nt-user-pwnoexpire
XF:nt-unknown-pwdfilter
XF:nt-pwd-never-expire
XF:nt-pwd-nochange
XF:nt-pwdcache-enable
XF:nt-guest-change-passwords

CAN-1999-0537

Phase: Proposed (19990726)

Description: A configuration in a web browser such as Internet Explorer or Netscape
Navigator allows execution of active content such as ActiveX, Java,
Javascript, etc.

Votes:

ACCEPT(1) Wall
RECAST(1) Frech
REJECT(1) LeBlanc

Voter Comments:

Frech> Good candidate for dot notation.
XF:nav-java-enabled
XF:nav-javascript-enabled
XF:ie-active-content
XF:ie-active-download
XF:ie-active-scripting
XF:ie-activex-execution
XF:ie-java-enabled
XF:netscape-javascript
XF:netscape-java
XF:zone-active-scripting
XF:zone-activex-execution
XF:zone-desktop-install
XF:zone-low-channel
XF:zone-file-download
XF:zone-file-launch
XF:zone-java-scripting
XF:zone-low-java
XF:zone-safe-scripting
XF:zone-unsafe-scripting
LeBlanc> Not a vulnerability. These are just checks for configuration
settings that a user might have changed. I understand need to increase
number of checks in a scanning product, but don't feel like these belong
in CVE. Scanner vendors could argue that these entries are needed to
keep a common language.

Wall> Don't know what this is. Don't think it is a vulnerability and would
initially reject. This is different than just renaming the
administrator account.
Frech> Would appreciate more information on this one, as in a reference.
Blake> Reference: XF:nt-autologin
Ozancin> Needs more detail
Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
No refs, no details, should reject
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-autologon(5)

CAN-1999-0550

Phase: Proposed (19990726)

Description: A router's routing tables can be obtained from arbitrary hosts.

Description: IIS has the #exec function enabled for Server Side Include (SSI) files.

Votes:

NOOP(1) Northcutt
RECAST(1) Shostack
REJECT(1) LeBlanc

Voter Comments:

LeBlanc> Does not meet definition of a vulnerability. This function is
just enabled. You can turn it off if you want. if you trust the people
putting up your web pages, this isn't a problem. If you don't, this is
just one of many things you need to change.

CAN-1999-0562

Phase: Proposed (19990721)

Description: The registry in Windows NT can be accessed remotely by users who are
not administrators.

Northcutt> This isn't all or nothing, users may be allowed to access part of the
registry.
Frech> XF:nt-winreg-all
XF:nt-winreg-net

CAN-1999-0564

Phase: Proposed (19990728)

Description: An attacker can force a printer to print arbitrary documents (e.g. if
the printer doesn't require a password) or to become disabled.

Votes:

ACCEPT(2) Baker, Shostack
NOOP(1) Northcutt

CAN-1999-0565

Phase: Proposed (19990728)

Description: A Sendmail alias allows input to be piped to a program.

Votes:

ACCEPT(1) Northcutt
RECAST(1) Shostack

Voter Comments:

Shostack> Is this a default alias? Is my .procmailrc an instance of this?

CAN-1999-0568

Phase: Proposed (19990728)

Description: rpc.admind in Solaris is not running in a secure mode.

Votes:

ACCEPT(1) Northcutt
NOOP(1) Christey
RECAST(2) Shostack, Dik

Voter Comments:

Shostack> are there secure modes?
Dik> Several:
1) there is no "rpc.admind" daemon.
there used to be a "admind" RPC daemon (100087/10)
and there's now an "sadmind" daemon (100232/10)
The switch over was somewhere around Solaris 2.4.
2) Neither defaults to "secure mode"
3) secure mode is "using secure RPC" which does
proper over the wire authentication by specifying
the "-S 2" option in inetd.conf
(security level 2)
Christey> XF:rpc-admind(626)
http://xforce.iss.net/static/626.php
MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html

CAN-1999-0569

Phase: Modified (19991130-01)

Description: A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory if it does not contain an index.html
file.

Votes:

ACCEPT(1) Wall
NOOP(1) Christey
REJECT(1) Northcutt

Voter Comments:

Northcutt> I do this intentionally somethings in high content directories
Christey> XF:http-noindex(90) ?

CAN-1999-0570

Phase: Proposed (19990728)

Description: Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

Votes:

ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Christey
REJECT(1) Wall

Voter Comments:

Northcutt> Here we are crossing into the best practices arena again. However since
passfilt does establish a measurable standard and since we aren't the
ones defining the stanard, simply saying it should be employed I will
vote for this.
Frech> XF:nt-passfilt-not-inst(1308)
XF:nt-passfilt-not-found(1309)
Christey> Consider MSKB:Q161990 and MSKB:Q151082

CAN-1999-0571

Phase: Modified (20020312-01)Reference: BUGTRAQ:Feb5,1999

Description: A router's configuration service or management interface (such as a
web server or telnet) is configured to allow connections from
arbitrary hosts.

Northcutt> I don't quite get what this means, sorry
Frech> XF:nt-regfile(178)
Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html

CAN-1999-0575

Phase: Proposed (19990721)

Description: A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.

Northcutt> It isn't a great truth that you should enable all or the above, if you
do you potentially introduce a vulnerbility of filling up the file
system with stuff you will never look at.
Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Christey> The list of event types is very useful for lookup.
Frech> XF:nt-system-audit
XF:nt-logon-audit
XF:nt-object-audit
XF:nt-privil-audit
XF:nt-process-audit
XF:nt-policy-audit
XF:nt-account-audit
CHANGE> [Baker changed vote from REVIEWING to RECAST]

CAN-1999-0576

Phase: Proposed (19990721)

Description: A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.

Northcutt> 1.) Too general are we ready to state what the security-critical files
and directories are
2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
Ozancin> Some files and directories are clearly understood to be critical. Others are
unclear. We need to clarify that critical is.
Frech> XF:nt-object-audit

CAN-1999-0577

Phase: Proposed (19990721)

Description: A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.

Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Perhaps only failure should be logged.
Frech> XF:nt-object-audit
CHANGE> [Baker changed vote from REVIEWING to MODIFY]
Baker> Failure on non-critical files is what should be monitored.

CAN-1999-0578

Phase: Proposed (19990721)

Description: A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.

Ozancin> Again only failure may be of interest. It would be impractical to wad
through the incredibly large amount of logging that this would generate. It
could overwhelm log entries that you might find interesting.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-object-audit(228)

CAN-1999-0580

Phase: Proposed (19990803)

Description: The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate,
system-critical permissions.

Votes:

ACCEPT(1) Wall
RECAST(1) Northcutt

Voter Comments:

Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.

CAN-1999-0581

Phase: Proposed (19990803)

Description: The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate,
system-critical permissions.

Votes:

ACCEPT(1) Wall
RECAST(1) Northcutt

Voter Comments:

Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.

Northcutt> The definition is?
Baker> Maybe a rewording of this one too. I think most people would agree on
some "minimum" policies like 3-5 bad attempts lockout for an hour or
until the administrator unlocks the account.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for lockouts, e.g. lockout duration,
lockout after bad logon attempts, etc.
Ozancin> with reservations
What is appropriate?
Frech> XF:nt-thres-lockout
XF:nt-lock-duration
XF:nt-lock-window
XF:nt-perm-lockout
XF:lockout-disabled

CAN-1999-0583

Phase: Proposed (19990728)

Description: There is a one-way or two-way trust relationship between Windows NT
domains.

Votes:

NOOP(1) Christey
REJECT(2) Northcutt, Shostack

Voter Comments:

Christey> XF:nt-trusted-domain(1284)

CAN-1999-0584

Phase: Proposed (19990728)

Description: A Windows NT file system is not NTFS.

Votes:

ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Wall> NTFS partition provides the security. This could be re-worded
to "A Windows NT file system is FAT" since it is either NTFS or FAT
and FAT is less secure.
Frech> XF:nt-filesys(195)
Christey> MSKB:Q214579
MSKB:Q214579
http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP

CAN-1999-0585

Phase: Proposed (19990721)

Description: A Windows NT administrator account has the default name of
Administrator.

Wall> Some sources say this is not a vulnerability, but a warning. It just
slows down the search for the admin account (SID = 500) which can
always be found.
Northcutt> I change this on all NT systems I am responsible for, but is
root a vulnerability?
Baker> There are ways to identify the administrator account anyway, so this
is only a minor delay to someone that is knowledgeable. This, in and
of itself, doesn't really strike me as a vulnerability, anymore than
the root account on a Unix box.
Shostack> (there is no way to hide the account name today)
Frech> XF:nt-adminexists

CAN-1999-0586

Phase: Proposed (19990728)

Description: A network service is running on a nonstandard port.

Votes:

RECAST(1) Shostack
REJECT(1) Northcutt

Voter Comments:

Shostack> Might be acceptable if clearer; is that a standard service on a
non-standard port, or any service on an unassigned port?

CAN-1999-0587

Phase: Proposed (19990803)

Description: A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.

Votes:

ACCEPT(1) Wall
RECAST(1) Northcutt

Voter Comments:

Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
VMS, palm pilots, or commodore 64

CAN-1999-0588

Phase: Proposed (19990726)

Description: A filter in a router or firewall allows unusual fragmented packets.

Votes:

MODIFY(1) Frech
REJECT(1) Northcutt

Voter Comments:

Northcutt> I want to vote to accept this one, but unusual is a shade broad.
Frech> XF:nt-rras
XF:cisco-fragmented-attacks
XF:ip-frag

Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.

CAN-1999-0590

Phase: Proposed (19990728)

Description: A system does not present an appropriate legal message or warning to a
user who is accessing it.

Votes:

ACCEPT(1) Northcutt
MODIFY(1) Christey
RECAST(1) Shostack

Voter Comments:

Christey> ADDREF CIAC:J-043
URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Also add "banner" to the description to facilitate search.

Description: The Logon box of a Windows NT system displays the name of the last
user who logged in.

Votes:

MODIFY(1) Frech
NOOP(1) Christey
REJECT(2) Northcutt, Wall

Voter Comments:

Wall> Information gathering, not vulnerability
Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
not just vulnerability
Frech> XF:nt-display-last-username(1353)
Use it if you will. :-) If not, let us know so I can remove the CAN
reference from our database.
Christey> MSKB:Q114463
http://support.microsoft.com/support/kb/articles/q114/4/63.asp

CAN-1999-0593

Phase: Proposed (19990728)

Description: A user is allowed to shut down a Windows NT system without logging in.

Votes:

ACCEPT(1) Wall
MODIFY(1) Frech
REJECT(1) Northcutt

Voter Comments:

Wall> Still a denial of service.
Northcutt> May well be appropriate
Frech> XF:nt-shutdown-without-logon(1291)

CAN-1999-0594

Phase: Proposed (19990728)

Description: A Windows NT system does not restrict access to removable media drives
such as a floppy disk drive or CDROM drive.

Votes:

ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(1) Christey
REJECT(1) Northcutt

Voter Comments:

Wall> Perhaps it can be re-worded to "removable media drives
such as a floppy disk drive or CDROM drive can be accessed (shared) in a
Windows NT system."
Northcutt> - what good is my NT w/o its floppy
Frech> XF:nt-allocate-cdroms(1294)
XF:nt-allocate-floppy(1318)
Christey> MSKB:Q172520
URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp

CAN-1999-0595

Phase: Proposed (19990728)Reference: MSKB:Q182086

Description: A Windows NT system does not clear the system page file during
shutdown, which might allow sensitive information to be recorded.

Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

CAN-1999-0599

Phase: Proposed (19990726)

Description: A network intrusion detection system (IDS) does not properly handle
packets with improper sequence numbers.

Votes:

ACCEPT(2) Northcutt, Baker
NOOP(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

CAN-1999-0600

Phase: Proposed (19990726)

Description: A network intrusion detection system (IDS) does not verify the
checksum on a packet.

Votes:

ACCEPT(2) Northcutt, Baker
NOOP(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

CAN-1999-0601

Phase: Proposed (19990726)

Description: A network intrusion detection system (IDS) does not properly handle
data within TCP handshake packets.

Votes:

ACCEPT(2) Northcutt, Baker
NOOP(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> Waiting for Godot, er, CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

CAN-1999-0602

Phase: Proposed (19990726)

Description: A network intrusion detection system (IDS) does not properly
reassemble fragmented packets.

Votes:

ACCEPT(2) Northcutt, Baker
NOOP(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

CAN-1999-0603

Phase: Proposed (19990728)

Description: In Windows NT, an inappropriate user is a member of a group,
e.g. Administrator, Backup Operators, Domain Admins, Domain Guests,
Power Users, Print Operators, Replicators, System Operators, etc.

Description: An incorrect configuration of the QuikStore shopping cart
CGI program "quikstore.cgi" could disclose private information.

Votes:

ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Christey, Northcutt, Wall

Voter Comments:

Frech> XF:quikstore-misconfig(3858)
Christey> http://www.quikstore.com/help/pages/Security/security.htm says:
"It is IMPORTANT that during the setup of the QuikStore program, you
check to make sure that the cgi-bin or executable program directory
of your web site not be viewable from the outside world. You don't
want the users to have access to your programs or log files that could
be stored there!
...
If you can view or download these files from the browser, someone
else can too"
So is this a configuration problem? See the configuration file at
http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
The [DIRECTORY_PATHS] section identifies pathnames and describes how
pathnames are constructed. It clearly uses relative pathnames,
so all data is underneath the base directory!!
If we call this a configuration problem, then maybe this (and
all other "CGI-data-in-web-tree" configuration problems) should
be combined.
Christey> Consider adding BID:1983

Baker> Although newer versions on snmp are not as vulnerable as prior versions,
this can still be a significant risk of exploitation, as seen in recent
attacks on snmp services via automated worms
Christey> XF:snmp(132) ?
Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.

CAN-1999-0616

Phase: Proposed (19990804)

Description: The TFTP service is running.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Northcutt

CAN-1999-0617

Phase: Proposed (19990804)

Description: The SMTP service is running.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Northcutt

CAN-1999-0618

Phase: Modified (19990921-01)Reference: XF:rexec

Description: The rexec service is running.

Votes:

ACCEPT(4) Northcutt, Baker, Ozancin, Wall
MODIFY(1) Frech

Voter Comments:

Frech> XF:decod-rexec
XF:rexec

CAN-1999-0619

Phase: Proposed (19990804)

Description: The Telnet service is running.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Northcutt

CAN-1999-0620

Phase: Proposed (19990804)

Description: A component service related to NIS is running.

Votes:

ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt

Voter Comments:

Christey> XF:ypserv(261)

CAN-1999-0621

Phase: Proposed (19990804)

Description: A component service related to NETBIOS is running.

Votes:

ACCEPT(2) Baker, Wall
MODIFY(1) Frech
REJECT(2) Northcutt, LeBlanc

Voter Comments:

LeBlanc> There is insufficient description to even know what this is.
Lots of component services related to NetBIOS run, and usually do not
constitute a problem.
Frech> associated to:
XF:nt-alerter(29)
XF:nt-messenger(69)
XF:reg-ras-gateway-enabled(2567)

Northcutt> The method to my madness is echo is the common denom in the dos attack
Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.

CAN-1999-0636

Phase: Proposed (19990804)

Description: The discard service is running.

Votes:

ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt

CAN-1999-0637

Phase: Proposed (19990804)

Description: The systat service is running.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Northcutt

CAN-1999-0638

Phase: Proposed (19990804)

Description: The daytime service is running.

Votes:

ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt

CAN-1999-0639

Phase: Proposed (19990804)

Description: The chargen service is running.

Votes:

ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
REVIEWING(1) Christey

Voter Comments:

Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.

Description: A system is running a version of software that was replaced with a
Trojan Horse at one of its distribution points, such as (1) TCP
Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and
2.1f, (4) IRC client (ircII) ircII 2.2.9, or (5) OpenSSH 3.4p1.

Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.

Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP
Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
CAN-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
network to modify ARP entries on another connected network.
CAN-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
Will reconsider if reference provides enough information to render a
distinction.
Christey> This particular vulnerability was exploited by an attacker
during the ID'Net IDS test network exercise at the SANS
Network Security '99 conference. The attacker adapted a
publicly available program that was able to spoof another
machine on the same physical network.
See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
for the Bugtraq reference that Tom Stracener suggested.
This generated a long thread on Bugtraq in 1997.
Blake> I'll second Tom's request to add the reference, it's a very
posting good and the vulnerability is clearly derivative of
the work.
(I do recall talking to the guy and drafting a description.)

Cole> I would add that is is not forced to be changed.
Frech> XF:webramp-default-password
Christey> This problem may have been detected in January 1999:
BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2

Stracener> Is the candidate referring to the denial of service problem mentioned in
the
changelogs for versions previous to 1.4.3-1 or does it pertain to some
problem with or
1.4.8-1?
Frech> Depending on the version, this could be any number of DoSes
related to ippl.
From http://www.larve.net/ippl/:
9 April 1999: version 1.4.3 released, correctly fixing a
potential denial of service attack.
7 April 1999: version 1.4.2 released, fixing a potential
denial of service attack.
XF:linux-ippl-dos
Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY
See comments for version 1.4.2 and 1.4.3
Another source: http://freshmeat.net/news/1999/04/08/923586598.html
CHANGE> [Stracener changed vote from REVIEWING to NOOP]
CHANGE> [Christey changed vote from NOOP to REJECT]
Christey> As mentioned by others, this could apply to several different
versions. Since the description is too vague, this CAN should
be REJECTED and recast into other candidates.

Blake> This obscurely-written advisory seems to state that COAS will make the
file world-readable, not that it allows the user to make it so. I hardly
think that allowing the user to turn off security is a vulnerability.
Christey> It's difficult to write the description based on what's in
the advisory. If COAS inadvertently changes permissions
without user confirmation, then it should be ACCEPTed with
appropriate modification to the description.
Christey> ADDREF BID:137
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Frech> XF:iis-samples-showcode
Cole> There are several sample files that allow this. I would quote
showcode.asp but make it more generic.
Prosser> (Modify)
Have a question on this and on the following three candidates as well. All
of these are part of the file viewers utilities that allow unauthorized
files reading, but MSKB Q231368 also mentioned the diagnostics
program,Winmsdp.exe, as another vulnerable viewer in this same set of
viewers. If we are going to split out the seperate viewer tools then
shouldn't there should be a seperate CAN for Winmsdp.exe also.
Christey> Mike's question basically touches on the CD:SF-EXEC
content decision - what do you do when you have the same bug
in multiple executables? CD:SF-EXEC needs to be reviewed
and approved by the Editorial Board before we can decide
what to do with this candidate.
Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
MSKB:Q231368 may be an error, and that winmsdp.exe is a
Microsoft Diagnostics Report Generator which may not even
be installed as part of IIS.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
Christey> ADDREF BID:167
URL:http://www.securityfocus.com/vdb/bottom.html?vid=167

Frech> XF:iis-samples-viewcode
Cole> I would combine this with the previous.
Prosser> (modify)
See comments in 0736 above
Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.

Frech> XF:iis-samples-codebrws
Cole> Same as above.
Prosser> (modify)
See comments in 0736 above
Christey> codebrw2.asp and Codebrw1.asp also need to be included
somewhere.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html

Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
absence of knowing whether or not the problems actually existed, I don't
think we have an entry here.
Frech> XF:redhat-net-tool-bo

Stracener> Many sites are vulnerable to this problem. I recommend removing the
explicit references to Hotmail and making the description more generic.
Suggest: Javascript can be injected using the STYLE tag in an HTML
formatted e-mail, allowing remote attackers to execute commands on user
accounts.
Frech> XF:hotmail-html-style-embed

Stracener> Add Ref: CIAC: J-069
Frech> XF:sun-libc-lcmessages
Prosser> BID 268 is an additional reference for this one as it has info on the Sun
vulnerability. However, BID 268 also includes AIX in this vulnerability and
refs APARS issued to fix a vulnerability in various 'nixs with the Natural
Language Service environmental variables NSLPATH and PATH_LOCALE depending
on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski
reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
BO in LC_MESSAGES. This should probably be considered under a different
CAN. Any ideas?
Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
and PATH_LOCALE, I'd say that's good evidence that this is not
the same problem. But a buffer overflow in libc in
LC_MESSAGES... We must ask if these are basically the same
codebase.
ADDREF CIAC:J-069
Christey> While the description indicates multiple programs, CD:SF-EXEC
does not apply because the vulnerability was in libc, and
rcp and ufsrestore were both statically linked against libc.
Thus CD:SF-LOC applies, and a single candidate is maintained
because the problem occurred in a library.
Dik> Sun bug 4240566
Christey> I'm consulting with Casper Dik and Troy Bollinger to see if
this should be combined with the AIX buffer overflows for
LC_MESSAGES; current indications are that they should be
split.
Christey> For further consultation, consider this post, though it's
associated with CVE-1999-0041:
BUGTRAQ:19970213 Linux NLSPATH buffer overflow
http://www.securityfocus.com/archive/1/6296
Also add "NLSPATH" and "PATH_LOCALE" to the description to
facilitate search.

Christey> This candidate is unconfirmed by the vendor.
Posted by Arne Vidstrom.
Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some
digging and the vendor seems to have discontinued the product, so no
information is available beyond Arne's post. Unless Andre has a copy
in his archive and can test it, I think we have to leave it out.
Wall> I agree with Blake. We have not seen the product and it has been discontinued.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> If this is (or was) tested by some tool, we should ACCEPT it.
Baker> http://www.securityfocus.com/bid/270
Christey> BID:270
URL:http://www.securityfocus.com/bid/270

Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798? CAN-1999-0389
has January 1999 dates associated with it, while CAN-1999-0798
was reported in late December.
http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
SCO appears to have acknowledged this as well:
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
The poster also claims that OpenBSD fixed this as well.
Frech> XF:bootp-remote-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to NOOP]
Christey> What was I thinking? Brian Caswell pointed out that this is
*not* the same bug as CVE-1999-0799. As reported in the
1998 Bugtraq post, the bug is in bootpd.c, and is related
to providing an htype value that is used as an index
into an array, and exceeds the intended boundaries of that
array.

Cole> This can cause code to be executed.
Frech> XF:sol-kcms-conf-netpath-bo
Dik> the bug has nothing to do with kcms_configure; it's a bug
in libnsl.so. All set-uid executables that trigger this code path are
vulnerable. Sun bug 4295834; fixed in Solaris 8.
Prosser> Okay, I am confused. Based on Casper's comments and checking
on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
#00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced
in 7 (looks like in 5.4 as well) and was fixed in 8?
Christey> Need to dig up my offline email on this.
Christey> May be a duplicate of CVE-1999-0321, whose sole reference
(XF:sun-kcms-configure-bo) no longer exists. Also examine
BID:452 and
BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
Modules Updated)
which are the same as XF:sol-kcms-conf-p-bo(3652), which could
be the new name for XF:sun-kcms-configure-bo.

Cole> I would combine this with the previous. To me the general
vulnerabilities are similar it is just the end result that changes.
Frech> XF:freebsd-seyon-setgid
Christey> ADDREF? CALDERA:CSSA-1999-037.0

Cole> The BID is 855. If I have the right vulnerability, this allows an
attacker to access URL's of there choosing which could lead to a compromise
of private information.
Frech> XF:http-frame-spoof
Question: Similar vulnerability to MS98-020 / CAN-1999-0869?
LeBlanc> MSRC tells me this is patched in MS00-009

Cole> This is BID 850.
Christey> See comments on CAN-1999-0988. Perhaps these two should be
merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
loosely alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:sco-pkg-dacread-fileread

Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
Frech> XF:sco-unixware-xsco
Christey> Confirmed by vendor, albeit vaguely:
http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Prosser> agree with Steve on vendor confirmation, however not sure the
fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and
tcpip.so, nothing about xsco. SSE050b
(ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
in xsco on OpenServer (the vendor message Steve refers to) but not the
UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
familar with SCO shed some light on this? Are they the same codebase so fix
would be same? From the SCO site it seems the UnixWare and OpenSever
products are similar but have differences.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:824
http://www.securityfocus.com/bid/824

Cole> I went to 1129 and it looks like a reference for a different
vulnerability.
Frech> In the description, should dtmailptr be dtmailpr?
XF:solaris-dtmailpr-overflow
XF:solaris-dtmail-overflow
Dik> sun bug: 4166321

Frech> XF:cisco-nat-dos
Christey> Mike Prosser's REVIEWING vote expires July 17, 2000
Ziese> After reviewing
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
I can not confirm this exists unless it's restructred to
describe a problem against IOS per se; not NAT per se. I am
reviewing this and it may take some time.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Not sure if Kevin's suggested reference really describes this
one. However, a followup email by Jim Duncan of Cisco does
acknowledge the problem as discussed in the Bugtraq post:
http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
The original post is:
http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2
It could be that the researcher believed that the problem was
NAT, but in fact it wasn't.
I need to follow up with Ziese/Balinsky on this one.

Cole> 823 and 820 are two different vulnerabilities and should be
separated out. They are both buffer overflows but accomplish it in a
different fashion and the end exploit is different.
Frech> (RECAST?)
XF:mdaemon-worldclient-dos
XF:mdaemon-webconfig-dos
Recast request: This is really two services exhibiting the same problem.
Christey> as suggested by others.
Also see confirmation at:
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm

Frech> XF:mdaemon-dos
Christey> CAN-1999-0844 is confirmed by MDaemon at
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
is no apparent confirmation for this problem, even
though it was posted the same day.
Prosser> Looks like from a follow-on message on Bugtraq from Nobuo
<http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
that Nobuo initially reported. Can't find the original message, so may have
been limited distro. Looks like an upgrade to the latest release might be
the final solution here.

Frech> XF:freebsd-seyon-bo
Christey> ADDREF? CALDERA:CSSA-1999-037.0
Christey> May be multiple bugs here, or a single library problem.
CD:SF-LOC needs to be resolved before determining if this
candidate should be SPLIT. Also see CAN-1999-0821.

Description: Buffer overflow in Vixie cron allows local users to gain root access
via a long MAILTO environment variable in a crontab file.

Votes:

MODIFY(2) Frech, Cole
REJECT(3) Christey, Blake, Stracener

Voter Comments:

Cole> 611 is the mail to listed above but 759 is for the mail from and
should be listed as a separate vulenrability.
Blake> This does not appear materially different from CAN-1999-0768
Christey> This is an apparent duplicate of CAN-1999-0768.
REDHAT:RHSA-1999:030-02 describes two issues, one of which is
CAN-1999-0768, and the other is CVE-1999-0769.
Stracener> This is a duplicate of candidate CAN-1999-0768.
Frech> XF:cron-sendmail-bo-root
Christey> BID:759 is improperly assigned to this candidate and doesn't
even describe it. It may have been inadvertently copied
from CAN-1999-0873.

Christey> This candidate is unconfirmed by the vendor.
Blake> Same as CAN-1999-0776.
Frech> XF:alibaba-url-file-manipulation
Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
the problems described in:
BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
If so, then ADDREF BID:1485 as well.
Christey> Include the names of the affected CGI's, including tst.bat,
get32.exe, alibaba.pl, etc.

Frech> XF:siteserver-cis-cookie-cache
Cole> Whether cookies are a vulnerbality is a debate for another time, the
question here is whether the
expiration feature is a vulnerability and I do not think it is
because the underlying concerns for this
are present even without this feature. The expiration feature does
not add any new vulenrabilities
that are not already present with cookies.
Stracener> Add Ref: MSKB Q238647

Frech> XF:proftpd-long-dir-bo(3399)
Christey> Not absolutely sure if this isn't the same as Palmetto
(CVE-1999-0368), which describes a similar type of overflow.
NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc
Christey> ADDREF CIAC:J-068
Include version numbers; too many wu-ftp/etc. problems
were published in summer/fall 1999

Christey> This candidate is unconfirmed by the vendor.
Frech> XF:motorola-cable-crash
Christey> This has enough votes, but not the "confidence" yet (until we
resolve the question of the amount of verification needed
for CVE).

Description: Sample runnable code snippets in ColdFusion Server 4.0 allow remote
attackers to read files, conduct a denial of service, or use the
server as a proxy for other HTTP calls.

Votes:

ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Frech> XF:coldfusion-source-display(1741)
XF:coldfusion-syntax-checker(1742)
XF:coldfusion-file-existence(1743)
XF:coldfusion-sourcewindow(1744)
Christey> List all affected runnable code snippets to facilitate
search, which may include:
viewexample.cfm (though could that be part of CVE-1999-0922?)

Frech> References are vague, but seem to be identical to CAN-1999-0940
(XF:mutt-text-enriched-mime-bo). According to the references, the malformed
messages consist of metacharacters. In addition, -0941's reference and
-0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
reconsider vote if other clearer references are forthcoming.
Christey> Modify to mention that the metachar's are in the Content-Type header.
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2

Description: Buffer overflow in uum program for Canna input system allows local
users to gain root privileges.

Votes:

ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Frech> XF:canna-uum-bo

Description: Buffer overflow in canuum program for Canna input system allows local
users to gain root privileges.

Votes:

ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Also review BID:758 and BID:757 - may need to change the BID
here.
Frech> XF:canna-uum-bo
Christey> CHANGEREF BID:757 BID:758

Frech> XF:solaris-lpstat-bo
Christey> It is unclear from Casper Dik's followup whether this is
exploitable or not.
Dik> Sunbug 4129917
(other reports in the same thread suggest that the then current patchd id
fix the problem)
Christey> Confirm with Casper Dik that the overflow is in the -c option,
and if so, include it in the description to differentiate
it from the lpstat -n buffer overflow.

Christey> More examination is required to determine if CAN-1999-0983,
CAN-1999-0984, or CAN-1999-0985 are the same codebase.
Frech> XF:whois-internic-shell-meta
Christey> ADDREF BID:2000
Christey> The XF appears to be gone. Perhaps it's this one:
XF:http-cgi-whois-meta(3798)

Cole> How is this different than the previous?
Christey> More examination is required to determine if CAN-1999-0983,
CAN-1999-0984, or CAN-1999-0985 are the same codebase.
Frech> XF:matts-whois-meta
Christey> ADDREF BID:2000
Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ?

Cole> I would combine all of these.
Christey> More examination is required to determine if CAN-1999-0983,
CAN-1999-0984, or CAN-1999-0985 are the same codebase.
Frech> XF:cc-whois-meta
Christey> ADDREF BID:2000
Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)
Christey> Replace XF reference with XF:cc-whois-meta(3800) ?

Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
can be used to mount etc/shadow printing attacks as a result of the
"dacread" permission (cf. /etc/security/tcb/privs). The procedural
differences between the individual exploits for each of these utilities
are therefore inconsequential. CAN-1999-0988 should be merged with
CAN-1999-0828. From the standpoint of maintaining consistency of the
level of abstraction used in CVE, the co-existence of CANS
1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
very small differences (in principle) between the exploits subsumed by
0828 and 0988 and the shared dacread permissions of the pkg* suite, I
suggest a merge. Below is a summary of the data upon which my decision
was based.
utility exploit
-------- ----------------------------------
pkgtrans --> symlink + dacread permission prob
pkginfo --> truss (debugging utility) in conjunction with pkginfio -d
etc/shadow. In this case, it captures the interaction between
pkginfo the shadow file. Once again: dacread.
pkgcat --> buffer overflow + dacread permission prob
pkginstall -> buffer overflow + dacread permission prob
pkgparam --> -f etc/shadow (works because of dacread).
Christey> This is a tough one. While there are few procedural
differences, one could view "assignment of an improper
permission" as a "class" of problems along the lines of
buffer overflows and the like. Just like some programs
were fine until they got turned into CGI scripts, this
could be an emerging pattern which should be given
consideration. Consider the Eyedog and scriptlet.typelib
ActiveX utilities being marked as safe for scripting
(CAN-1999-0668 and 0669).
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:unixware-pkgtrans-symlink

CAN-1999-0990

Phase: Interim (19991229)Reference: BUGTRAQ:19991205 gdm thing

Description: Error messages generated by gdm with the VerboseAuth setting allows an
attacker to identify valid users on a system.

Frech> XF:disney-search-info(3955)
Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.

Description: Microsoft HTML control as used in (1) Internet Explorer 5.0, (2)
FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly
others, allows remote malicious web site or HTML emails to cause a
denial of service (100% CPU consumption) via large HTML form fields
such as text inputs in a table cell

Votes:

ACCEPT(2) Wall, Cole
MODIFY(1) Frech
NOOP(2) Foat, Christey

Voter Comments:

Frech> XF:ms-html-table-form-dos(3246)
Frech> XF:ms-html-table-form-dos(3246)
Christey> Add period to the end of the description.

Description: IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP
fragments before checking the header information, which allows a
remote attacker to bypass the filtering rules using several fragments
with 0 offsets.

Description: The installation of Novell Netware NDS 5.99 provides an
unauthenticated client with Read access for the tree, which allows
remote attackers to access sensitive information such as users,
groups, and readable objects via CX.EXE and NLIST.EXE.

Description: serial_ports administrative program in IRIX 4.x and 5.x trusts the
user's PATH environmental variable to find and execute the ls program,
which allows local users to gain root privileges via a Trojan horse ls
program.

Votes:

ACCEPT(2) Frech, Cole
NOOP(2) Foat, Christey

Voter Comments:

Christey> Note: CAN-1999-1310 is a duplicate of this candidate.
CAN-1999-1310 will be REJECTed; this is the proper CAN to use.
CIAC:F-01
URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
SGI:19941001-01-P
URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html

Description: useradd in Solaris 7.0 does not properly interpret certain date
formats as specified in the "-e" (expiration date) argument, which
could allow users to login after their accounts have expired.

Description: ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a
denial of service via a packet with a zero length header, which causes
an infinite loop and core dump when tcpdump prints the packet.

Description: CDE screen lock program (screenlock) on Solaris 2.6 does not properly
lock an unprivileged user's console session when the host is an NIS+
client, which allows others with physical access to login with any
string.

Description: SSH server (sshd2) before 2.0.12 does not properly record login
attempts if the connection is closed before the maximum number of
tries, allowing a remote attacker to guess the password without
showing up in the audit logs.

Votes:

ACCEPT(2) Frech, Cole
NOOP(2) Wall, Foat

CAN-1999-1030

Phase: Proposed (20010912)Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2Reference: BID:267Reference: URL:http://www.securityfocus.com/bid/267

Description: counter.exe 2.70 allows a remote attacker to cause a denial of
service (hang) via an HTTP request that ends in %0A (newline), which
causes a malformed entry in the counter log that produces an access
violation.

Phase: Proposed (20010912)Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2Reference: BID:267Reference: URL:http://www.securityfocus.com/bid/267

Description: counter.exe 2.70 allows a remote attacker to cause a denial of service
(hang) via a long argument.

Description: Microsoft Outlook Express before 4.72.3612.1700 allows a malicious
user to send a message that contains a .., which can inadvertently
cause Outlook to re-enter POP3 command mode and cause the POP3 session
to hang.

Christey> This candidate and CAN-1999-1501 are duplicates. However,
CAN-1999-1501 will be REJECTed in favor of this candidate.
Add the following references:
BID:70
URL:http://www.securityfocus.com/bid/70
BID:71
URL:http://www.securityfocus.com/bid/71
XF:irix-ipxchk-ipxlink-ifs-commands(7365)
URL:http://xforce.iss.net/static/7365.php

Description: Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4
allows a local user to gain root access via (1) a long TERM
environmental variable and (2) a long entry in the .mscreenrc file.

Frech> XF:cisco-crm-file-vuln(1575)
Armstrong> I think that this is the same as Can-1999-1126
Balinsky> This is the same as CAN-1999-1126. Merge them.
Christey> DUPE CAN-1999-1126, as noted by others.
This candidate will be rejected. CAN-1999-1126 will be
promoted.

Christey> Abstraction and definition issue: CD:SF-LOC suggests combining
issues of the same type. Some people refer to "directory
traversal" and just mean .. problems; but there are other
issues (specifying an absolute pathname, using C: drive
letters, doing encodings) that, to my way of thinking, are
"different." Perhaps this should be split.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CAN-1999-1050
and CAN-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.

Description: Default configuration in Matt Wright FormHandler.cgi script allows
arbitrary directories to be used for attachments, and only restricts
access to the /etc/ directory, which allows remote attackers to read
arbitrary files via the reply_message_attach attachment parameter.

Votes:

MODIFY(1) Frech
NOOP(3) Wall, Foat, Cole
REVIEWING(1) Christey

Voter Comments:

Frech> XF:formhandler-cgi-reply-message(7782)
Christey> I view one of these as a configuration issue: FormHandler.cgi
*could* be configured to limit hard-coded pathnames to a single
directory which, while being an information leak, would still be
"reasonably secure." But by default, it's just not configured that
way.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CAN-1999-1050
and CAN-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.

Description: Microsoft FrontPage stores form results in a default location in
/_private/form_results.txt, which is world-readable and accessible in
the document root, which allows remote attackers to read possibly
sensitive information submitted by other users.

Description: Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands by connecting to port 31457 from a host with a long DNS
hostname.

Description: HP Laserjet printers with JetDirect cards, when configured with
TCP/IP, can be configured without a password, which allows remote
attackers to connect to the printer and change its IP address or
disable logging.

Description: Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow
attackers to cause a denial of service and possibly execute arbitrary
commands by executing WindowMaker with a long program name (argv[0]).

Description: Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers
to cause a denial of service, and possibly execute arbitrary commands,
via a long string to port 14238 while the manager is in network mode.

Description: Quake 1 server responds to an initial UDP game connection request with
a large amount of traffic, which allows remote attackers to use the
server as an amplifier in a "Smurf" style attack on another host, by
spoofing the connection request.

Votes:

MODIFY(1) Frech
NOOP(4) Wall, Foat, Cole, Christey

Voter Comments:

Christey> This is apparently a problem with the connection protocol.
See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
Frech> XF:quake-udp-connection-dos(7862)

Description: SGI MachineInfo CGI program, installed by default on some web servers,
prints potentially sensitive system status information, which could be
used by remote attackers for information gathering activities.

Votes:

ACCEPT(1) Frech
NOOP(2) Foat, Cole

Voter Comments:

Frech> I'd be a lot more confident in this vote if there was a more
concrete reference strongly associating webdist.cgi and machineinfo.

Description: Excite for Web Servers (EWS) 1.1 allows local users to gain privileges
by obtaining the encrypted password from the world-readable
Architext.conf authentication file and replaying the encrypted
password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Description: Excite for Web Servers (EWS) 1.1 records the first two characters of a
plaintext password in the beginning of the encrypted password, which
makes it easier for an attacker to guess passwords via a brute force
or dictionary attack.

Description: inetd in AIX 4.1.5 dynamically assigns a port N when starting
ttdbserver (ToolTalk server), but also inadvertently listens on port
N-1 without passing control to ttdbserver, which allows remote
attackers to cause a denial of service via a large number of
connections to port N-1, which are not properly closed by inetd.

Description: Idle locking function in MacOS 9 allows local users to bypass the
password protection of idled sessions by selecting the "Log Out"
option and selecting a "Cancel" option in the dialog box for an
application that attempts to verify that the user wants to log out,
which returns the attacker into the locked session.

Description: Idle locking function in MacOS 9 allows local attackers to bypass the
password protection of idled sessions via the programmer's switch or
CMD-PWR keyboard sequence, which brings up a debugger that the
attacker can use to disable the lock.

Description: The "AEDebug" registry key is installed with insecure permissions,
which allows local users to modify the key to specify a Trojan Horse
debugger which is automatically executed on a system crash.

Description: Novell 5 and earlier, when running over IPX with a packet signature
level less than 3, allows remote attackers to gain administrator
privileges by spoofing the MAC address in IPC fragmented packets that
make NetWare Core Protocol (NCP) calls.

Description: UNIX news readers tin and rtin create the /tmp/.tin_log file with
insecure permissions and follow symlinks, which allows attackers to
modify the permissions of files writable by the user via a symlink
attack.

Description: sort creates temporary files and follows symbolic links, which allows
local users to modify arbitrary files that are writable by the user
running sort, as observed in updatedb and other programs that use
sort.

Votes:

MODIFY(1) Frech
NOOP(3) Foat, Cole, Christey

Voter Comments:

Frech> XF:sort-tmp-file-symlink(7182)
Christey> This issue clearly has a long history.
CALDERA:CSSA-2002-SCO.21
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
CALDERA:CSSA-2002-SCO.2
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
(There are 2 Caldera advisories because one is for Open UNIX
and UnixWare, and the other is for OpenServer)
XF:openserver-sort-symlink(9218)
URL:http://www.iss.net/security_center/static/9218.php

Description: Windows Media Player ActiveX object as used in Internet Explorer 5.0
returns a specific error code when a file does not exist, which allows
remote malicious web sites to determine the existence of files on the
client.

Description: HTTP Client application in ColdFusion allows remote attackers to
bypass access restrictions for web pages on other ports by providing
the target page to the mainframeset.cfm application, which requests
the page from the server, making it look like the request is coming
from the local host.

Description: Oracle Webserver 2.1 and earlier runs setuid root, but the
configuration file is owned by the oracle account, which allows any
local or remote attacker who obtains access to the oracle account to
gain privileges or modify arbitrary files by modifying the
configuration file.

Description: Default configuration of the search engine in Netscape Enterprise
Server 3.5.1, and possibly other versions, allows remote attackers to
read the source of JHTML files by specifying a search command using
the HTML-tocrec-demo1.pat pattern file.

Description: Compaq/Microcom 6000 Access Integrator does not cause a session
timeout after prompting for a username or password, which allows
remote attackers to cause a denial of service by connecting to the
integrator without providing a username or password.

Description: Compaq/Microcom 6000 Access Integrator does not disconnect a client
after a certain number of failed login attempts, which allows remote
attackers to guess usernames or passwords via a brute force attack.

Christey> I confirmed this problem via visual inspection of the
source code in http://www.lakeweb.com/scripts/filemail.zip
Line 82 has an insufficient check for shell metacharacters
that doesn't exclude semicolons. Line 129 is the
call where the metacharacters are injected.
Need to add "filemail.pl" to the description.

Description: Buffer overflow in (1) pluggable authentication module (PAM) on
Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3
allows local users to gain root privileges via programs that use these
modules such as passwd, yppasswd, and nispasswd.

Description: install.iss installation script for Internet Security Scanner (ISS)
for Linux, version 5.3, allows local users to change the permissions
of arbitrary files via a symlink attack on a temporary file.

Description: By design, Maximizer Enterprise 4 calendar and address book program
allows arbitrary users to modify the calendar of other users when the
calendar is being shared.

Votes:

MODIFY(1) Frech
NOOP(3) Wall, Foat, Cole
REVIEWING(1) Christey

Voter Comments:

Christey> The discloser does not provide enough details to fully
understand what the problem is. This makes it difficult
because if Maximizer has a concept of "users" and it is
designed to allow any user to modify any other user's data,
then this would not be a vulnerability or exposure, unless
that "cross-user" capability could be used to violate system
integrity, data confidentiality, or the like. There are some
features of Maximizer 6.0 that, if abused, could allow someone
to do some bad things. For example, an attacker could modify
the email addresses for contacts to redirect sales to
locations besides the customer. There's also a capability of
assigning priorities and alarms, which could be susceptible to
an "inconvenience attack" at the very least, as well as
tie-ins to e-commerce capabilities.
The critical question becomes: "how is this data shared" in
the first place? If it's through a network share or other
distribution method besides transferring the complete database
between sites, then this may be accessible to any attacker who
can mimic a Maximizer client (if there is such a thing as a
client), and this could be a vulnerability or exposure
according to the CVE definition.
However, since the Maximizer functionality is unknown to me
and not readily apparent from product documentation, it's hard
to know what to do about this one.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:maximizer-enterprise-calendar-modification(7590)

Description: Corel Word Perfect 8 for Linux creates a temporary working directory
with world-writable permissions, which allows local users to (1)
modify Word Perfect behavior by modifying files in the working
directory, or (2) modify files of other users via a symlink attack.

Description: ZIP drive for Iomega ZIP-100 disks allows attackers with physical
access to the drive to bypass password protection by inserting a known
disk with a known password, waiting for the ZIP drive to power down,
manually replacing the known disk with the target disk, and using the
known password to access the target disk.

Description: Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for
Linux systems allows local users to gain privileges by calling a
setuid program with a long program name (argv[0]) and forcing
ld.so/ld-linux.so to report an error.

Description: System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote
attackers to execute commands by providing a trojan horse (1) runtask
or (2) runexec descriptor file, which is used to execute a System
Manager Task when the user's Mailcap entry supports the x-sgi-task or
x-sgi-exec type.

Description: rxvt, when compiled with the PRINT_PIPE option in various Linux
operating systems including Linux Slackware 3.0 and RedHat 2.1, allows
local users to gain root privileges by specifying a malicious program
using the -print-pipe command line parameter.

Description: Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95
and Windows 98 allows remote attackers to cause a denial of service,
and possibly execute arbitrary commands, via a long argument after the
? character in a URL that references an .asp, .cgi, .html, or .pl
file.

Description: NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus
definition file during an update via FTP, but it reports that the
update was successful, which could cause a system administrator to
believe that the definitions have been updated correctly.

Description: Apache WWW server 1.3.1 and earlier allows remote attackers to cause a
denial of service (resource exhaustion) via a large number of MIME
headers with the same name, aka the "sioux" vulnerability.

Description: SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and
possibly other platforms and operating systems, installs two ActiveX
controls that are marked as safe for scripting, which allows remote
attackers to execute arbitrary commands via a malicious web page that
references (1) the Launch control, or (2) the RegObj control.

Description: xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to
overwrite arbitrary files via a symlink attack on a core dump file,
which is created when xterm is called with a DISPLAY environmental
variable set to a display that xterm cannot access.

Description: The PATH in Windows NT includes the current working directory (.),
which could allow local users to gain privileges by placing Trojan
horse programs with the same name as commonly used system programs
into certain directories.

Description: Majordomo 1.94.3 and earlier allows remote attackers to execute
arbitrary commands when the advertise or noadvertise directive is used
in a configuration file, via shell metacharacters in the Reply-To
header.

Description: IMAP 4.1 BETA, and possibly other versions, does not properly handle
the SIGABRT (abort) signal, which allows local users to crash the
server (imapd) via certain sequences of commands, which causes a core
dump that may contain sensitive password information.

Description: rpc.mountd on Linux, Ultrix, and possibly other operating systems,
allows remote attackers to determine the existence of a file on the
server by attempting to mount that file, which generates different
error messages depending on whether the file exists or not.

Description: Various modems that do not implement a guard time, or are configured
with a guard time of 0, can allow remote attackers to execute
arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence
that appears in ICMP packets, the subject of an e-mail message, IRC
commands, and others.

Description: Quake 2 server 3.13 on Linux does not properly check file permissions
for the config.cfg configuration file, which allows local users to
read arbitrary files via a symlink from config.cfg to the target file.

Description: ssh 2.0.12, and possibly other versions, allows valid user names to
attempt to enter the correct password multiple times, but only prompts
an invalid user name for a password once, which allows remote
attackers to determine user account names on the server.

Description: day5datacopier in SGI IRIX 6.2 trusts the PATH environmental variable
to find the "cp" program, which allows local users to execute
arbitrary commands by modifying the PATH to point to a Trojan horse cp
program.

Description: Internet Explorer 5.0 records the username and password for FTP
servers in the URL history, which could allow (1) local users to read
the information from another user's index.dat, or (2) people who are
physically observing ("shoulder surfing") another user to read the
information from the status bar when the user moves the mouse over a
link.

Description: Multiple buffer overflows in smbvalid/smbval SMB authentication
library, as used in Apache::AuthenSmb and possibly other modules,
allows remote attackers to execute arbitrary commands via (1) a long
username, (2) a long password, and (3) other unspecified methods.

Description: HP-UX 9.x does not properly enable the Xauthority mechanism in certain
conditions, which could allow local users to access the X display even
when they have not explicitly been authorized to do so.

Description: Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of
service by spoofing ICMP redirect messages from a router, which causes
Windows to change its routing tables.

Votes:

ACCEPT(3) Frech, Wall, Cole
MODIFY(1) Meunier
NOOP(2) Christey, Foat

Voter Comments:

Christey> Need to get feedback from MS on this.
Christey> (prompted from Pascal Meunier) should this be treated
as a general design issue with ICMP? Or is it a specific
implementation flaw that only affects Reliant?
Meunier> The description is too narrow and incorrect. Spoofed ICMP
redirect messages can be used to setup man-in-the-middle attacks
instead of a DoS. There's no reason that this behavior would be
limited to Windows, as it is specified by the standard. As I said
elsewhere, ICMP messages should not be acted upon without access
controls.

Description: Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition
stores the database master password in plaintext in the spoolmain.log
file when a new database is created, which allows local users to
obtain the password from that file.

Description: KMail in KDE 1.0 provides a PGP passphrase as a command line argument
to other programs, which could allow local users to obtain the
passphrase and compromise the PGP keys of other users by viewing the
arguments via programs that list process information, such as ps.

Description: BackWeb client stores the username and password in cleartext for proxy
authentication in the Communication registry key, which could allow
other local users to gain privileges by reading the password.

Description: Linux 2.1.132 and earlier allows local users to cause a denial of
service (resource exhaustion) by reading a large buffer from a random
device (e.g. /dev/urandom), which cannot be interrupted until the read
has completed.

Christey> CHANGE DESC: "via a symlink attack on the printers temporary file."
Add 5.3 as another affected version.
MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
SGI:19961203-02-PX may solve this problem, but the advisory is so
vague that it is uncertain whether this was fixed or not. addnetpr is
not specifically named in the advisory, which names netprint, which is
not specified in the original Bugtraq post. In addition, the date on
the advisory is one day earlier than that of the Bugtraq post, though
that could be a difference in time zones. It seems plausible that the
problem had already been patched (the researcher did say "There *was*
[a] race condition") so maybe SGI released this advisory after the
problem was publicized.
ADDREF BID:330
URL:http://www.securityfocus.com/bid/330
Note: this is a dupe of CAN-1999-1410, but CAN-1999-1410 will
be rejected in favor of CAN-1999-1286.

Description: ICQ 98 beta on Windows NT leaks the internal IP address of a client in
the TCP data segment of an ICQ packet instead of the public address
(e.g. through NAT), which provides remote attackers with potentially
sensitive information about the client or the internal network
configuration.

Votes:

ACCEPT(3) Frech, Wall, Cole
NOOP(1) Foat

Voter Comments:

Frech> Override EX-BETA in this case, since ICQ is always in beta
and is
widely run in production environments.

Description: TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and
possibly others, allows remote attackers to reset connections by
forcing a reset (RST) via a PSH ACK or other means, obtaining the
target's last sequence number from the resulting packet, then spoofing
a reset to the target.

Description: Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5
does not properly initialize the grouplist for users who belong to a
large number of groups, which could allow those users to gain access
to resources that are protected by DFS.

Description: Buffer overflow in Kerberos IV compatibility libraries as used in
Kerberos V allows local users to gain root privileges via a long line
in a kerberos configuration file, which can be specified via the
KRB_CONF environmental variable.

Description: rcp on various Linux systems including Red Hat 4.0 allows a "nobody"
user or other user with UID of 65535 to overwrite arbitrary files,
since 65535 is interpreted as -1 by chown and other system calls,
which causes the calls to fail to modify the ownership of the file.

Description: Cisco IOS 9.1 and earlier does not properly handle extended IP access
lists when the IP route cache is enabled and the "established" keyword
is set, which could allow attackers to bypass filters.

Frech> XF:cisco-acl-established(1248)
Possibly duplicate with CVE-1999-0162?
Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was
released in 1995, whereas this bug was released in 1992.

Description: Vulnerability in union file system in FreeBSD 2.2 and earlier, and
possibly other operating systems, allows local users to cause a denial
of service (system reload) via a series of certain mount_union
commands.

Description: Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared
directory with insecure permissions, which allows local users to (1)
send arbitrary files to the remote server by placing them in the
directory, and (2) view files that are being transferred.

Description: PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier
includes a less restrictive rule before a more restrictive one, which
allows users to access the host via rlogin even if rlogin has been
explicitly disabled using the /etc/nologin file.

Description: ARCAD Systemhaus 0.078-5 installs critical programs and files with
world-writeable permissions, which could allow local users to gain
privileges by replacing a program with a Trojan horse.

Description: Nosque MsgCore 2.14 stores passwords in cleartext: (1) the
administrator password in the AdmPasswd registry key, and (2) user
passwords in the Userbase.dbf data file, which could allow local users
to gain privielges.

Description: E-mail client in Softarc FirstClass Internet Server 5.506 and earlier
stores usernames and passwords in cleartext in the files (1) home.fc
for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG
when logging is enabled.

Description: Netscape Communicator 4.04 through 4.7 (and possibly other versions)
in various UNIX operating systems converts the 0x8b character to a "<"
sign, and the 0x9b character to a ">" sign, which could allow remote
attackers to attack other clients via cross-site scripting (CSS) in
CGI programs that do not filter these characters.

Description: Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service)
allows remote attackers to cause a denial of service (resource
exhaustion) via a flood of malformed packets, which causes the server
to slow down and fill the event logs with error messages.

Description: Windows NT searches a user's home directory (%systemroot% by default)
before other directories to find critical programs such as
NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could
allow local users to bypass access restrictions or gain privileges by
placing a Trojan horse program into the root directory, which is
writable by default.

Description: Internet Explorer 5.0 does not properly reset the username/password
cache for Web sites that do not use standard cache controls, which
could allow users on the same system to access restricted web sites
that were visited by other users.

Description: AV Option for MS Exchange Server option for InoculateIT 4.53, and
possibly other versions, only scans the Inbox folder tree of a
Microsoft Exchange server, which could allow viruses to escape
detection if a user's rules cause the message to be moved to a
different mailbox.

Description: The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1)
the screen saver, which could leave the system open to users with
physical access if a failure occurs during an unattended installation,
and (2) the Task Scheduler Service, which might prevent the scheduled
execution of security-critical programs.

Description: perlshop.cgi shopping cart program stores sensitive customer
information in directories and files that are under the web root,
which allows remote attackers to obtain that information via an HTTP
request.

Votes:

MODIFY(1) Frech
NOOP(3) Wall, Foat, Cole

Voter Comments:

Frech> XF:perlshop-cgi-obtain-information(7557)

CAN-1999-1375

Phase: Proposed (20010912)Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anythingReference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91877455626320&w=2Reference: BID:230Reference: URL:http://www.securityfocus.com/bid/230

Description: FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP)
allows remote attackers to read arbitrary files by specifying the name
in the file parameter.

Description: (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain
privileges via directory names that contain shell metacharacters (`
back-tick), which can cause the commands enclosed in the directory
name to be executed when the shell expands filenames using the \w
option in the PS1 variable.

Description: Windows NT 4.0 SP2 allows remote attackers to cause a denial of
service (crash), possibly via malformed inputs or packets, such as
those generated by a Linux smbmount command that was compiled on the
Linux 2.0.29 kernel but executed on Linux 2.0.25.

Description: US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22
and 3.7.24 does not properly enforce access filters when the "set host
prompt" setting is made for a port, which allows attackers to bypass
restrictions by providing the hostname twice at the "host: " prompt.

Description: Control Panel "Password Security" option for Apple Powerbooks allows
attackers with physical access to the machine to bypass the security
by booting it with an emergency startup disk and using a disk editor
to modify the on/off toggle or password in the aaaaaaaAPWD file, which
is normally inaccessible.

Description: BSD 4.4 based operating systems, when running at security level 1,
allow the root user to clear the immutable and append-only flags for
files by unmounting the file system and using a file system editor
such as fsdb to directly modify the file through a device.

Frech> XF:vms-monitor-gain-privileges(7136)
Duplicate of CAN-1999-1056? If not, indicate why in Analysis
comments.
Christey> Note that CAN-1999-1056
Christey> CAN-1999-1056 is in fact a duplicate. This candidate will
be kept, and CAN-1999-1056 will be REJECTed, because this
candidate has more references.

Description: Index Server 2.0 on IIS 4.0 stores physical path information in the
ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose
permissions allows local and remote users to obtain the physical paths
of directories that are being indexed.

Description: The Economist screen saver 1999 with the "Password Protected" option
enabled allows users with physical access to the machine to bypass the
screen saver and read files by running Internet Explorer while the
screen is still locked.

Description: snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory
with world-readable permissions and does not remove or clear the
directory when snap -a is executed, which could allow local users to
access the shadowed password file by creating
/tmp/ibmsupt/general/passwd before root runs snap -a.

Description: Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users
to cause a denial of service (crash) by using a socket to connect to a
port on the localhost, calling shutdown to clear the socket, then
using the same socket to connect to a different port on localhost.

Description: A possible interaction between Apple MacOS X release 1.0 and Apache
HTTP server allows remote attackers to cause a denial of service
(crash) via a flood of HTTP GET requests to CGI programs, which
generates a large number of processes.

Description: Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to
dump core even if the real user id is not in the set-gid group, which
allows local users to overwrite or create files at higher privileges
by causing a core dump, e.g. through dmesg.

Votes:

MODIFY(2) Frech, Dik
NOOP(2) Foat, Cole

Voter Comments:

Frech> XF:solaris-coredump-symlink(7196)
Dik> sun bug: 1208241
Also applies to set-uid executables that have made real
and effective uid identical

Description: NBase switches NH208 and NH215 run a TFTP server which allows remote
attackers to send software updates to modify the switch or cause a
denial of service (crash) by guessing the target filenames, which have
default names.

Description: The default configuration of Slackware 3.4, and possibly other
versions, includes . (dot, the current directory) in the PATH
environmental variable, which could allow local users to create Trojan
horse programs that are inadvertently executed by other users.

Description: PIM software for Royal daVinci does not properly password-protext
access to data stored in the .mdb (Microsoft Access) file, which
allows local users to read the data without a password by directly
accessing the files with a different application, such as Access.

Description: ZAK in Appstation mode allows users to bypass the "Run only allowed
apps" policy by starting Explorer from Office 97 applications (such as
Word), installing software into the TEMP directory, and changing the
name to that for an allowed application, such as Winword.exe.

Description: login in Slackware Linux 3.2 through 3.5 does not properly check for
an error when the /etc/group file is missing, which prevents it from
dropping privileges, causing it to assign root privileges to any local
user who logs on to the server.

Description: Win32 ICQ 98a 1.30, and possibly other versions, does not display the
entire portion of long filenames, which could allow attackers to send
an executable file with a long name that contains so many spaces that
the .exe extension is not displayed, which could make the user believe
that the file is safe to open from the client.

Description: Linux 2.0.34 does not properly prevent users from sending SIGIO
signals to arbitrary processes, which allows local users to cause a
denial of service by sending SIGIO to processes that do not catch it.

Description: Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local
users to cause a denial of service (crash) via a particular sequence
of instructions, possibly related to accessing addresses outside of
segments.

Description: Micah Software Full Armor Network Configurator and Zero Administration
allow local users with physical access to bypass the desktop
protection by (1) using <CTRL><ALT><DEL> and kill the process using
the task manager, (2) booting the system from a separate disk, or (3)
interrupting certain processes that execute while the system is
booting.

Description: Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with
shadowing enabled, and possibly other operating systems, allows remote
attackers to cause a core dump via a short sequence of USER and PASS
commands that do not provide valid usernames or passwords.

Description: Internet Explorer 3 records a history of all URL's that are visited by
a user in DAT files located in the Temporary Internet Files and
History folders, which are not cleared when the user selects the
"Clear History" option, and are not visible when the user browses the
folders because of tailored displays.

Description: Eudora and Eudora Light before 3.05 allows remote attackers to cause a
crash and corrupt the user's mailbox via an e-mail message with
certain dates, such as (1) dates before 1970, which cause a Divide By
Zero error, or (2) dates that are 100 years after the current date,
which causes a segmentation fault.

Description: Macromedia "The Matrix" screen saver on Windows 95 with the "Password
protected" option enabled allows attackers with physical access to the
machine to bypass the password prompt by pressing the ESC (Escape)
key.

Votes:

MODIFY(1) Frech
NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:

Christey> Looks like there might have been a re-discovery, though the
exploit is slightly different, and there is insufficient
detail to be certain that this isn't for a different
Matrix screen saver:
BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?]
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2
BID:3130
URL:http://www.securityfocus.com/bid/3130
Frech> XF:matrix-win95-password-bypass(8280)

Description: Buffer overflow in thttpd HTTP server before 2.04-31 allows remote
attackers to execute arbitrary commands via a long date string, which
is not properly handled by the tdate_parse function.

Christey> The vendor has acknowledged this vulnerability via e-mail. It
has been fixed.
NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC. It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.

Description: BMC PATROL SNMP Agent before 3.2.07 allows local users to create
arbitrary world-writeable files as root by specifying the target file
as the second argument to the snmpmagt program.

Votes:

MODIFY(1) Frech
NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:

Frech> XF:patrol-snmp-file-creation(2347)
Christey> The vendor has acknowledged this vulnerability via e-mail. It
has been fixed.
NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC. It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.

Description: inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH
environmental variable to find and execute the ttsession program,
which allows local users to obtain root access by modifying the PATH
to point to a Trojan horse ttsession program.

Description: Windows NT 4.0 before SP3 allows remote attackers to bypass firewall
restrictions or cause a denial of service (crash) by sending
improperly fragmented IP packets without the first fragment, which the
TCP/IP stack incorrectly reassembles into a valid session.

Description: Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled interface to an interface that does not have DFS enabled,
as described by Cisco bug CSCdk35564.

Description: Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled input interface to an output interface with a logical
subinterface, as described by Cisco bug CSCdk43862.

Frech> XF:cisco-acl-established(1248)
Possible dupe with CVE-1999-0162.
Christey> This is not a dupe with CVE-1999-0162. The Cisco advisory
referenced in CVE-1999-0162 says that affected Cisco versions
are 10.0 through 10.3. This CAN deals with versions 8.2
through 9.1. In addition, the date of release of
CVE-1999-0162 is June 1995; this CAN was released December
1992. Both items include clear Cisco acknowledgement with
details, so we should conclude that they are separate
problems, despite the vagueness of the reports.

Description: Buffer overflow in w3-auth CGI program in miniSQL package allows
remote attackers to execute arbitrary commands via an HTTP request
with (1) a long URL, or (2) a long User-Agent MIME header.

Description: PowerPoint 95 and 97 allows remote attackers to cause an application
to be run automatically without prompting the user, possibly through
the slide show, when the document is opened in browsers such as
Internet Explorer.

Votes:

ACCEPT(6) Frech, Wall, Foat, Cole, Armstrong, Stracener

Voter Comments:

Frech> Looks like CONFIRM URL is too old for Microsoft to keep
(currently cached at
http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/
security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en
). Same information is available at BugTraq at
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724

Description: ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords
in the wtmp log file, which allows local users to obtain the passwords
and gain privileges by reading wtmp, e.g. via the last command.

Description: nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP
port, which allows remote attackers to view files and cause a possible
denial of service by mounting the nsd virtual file system.

Christey> The description needs to be modified to mention the role of
timex. The one-line description for the IX75554
APAR mentions timex instead of sadc, but the BID mentions
sadc and not timex. This apparent discrepancy is resolved
by a README file for the fileset that is used by IX75554:
CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info
This clearly shows the relationship between timex and sadc.
Bollinger> The one line abstract is somewhat misleading. The timex
command calls sadc with a filename and it's the sadc command that can
be tricked into modifying files owned by the adm group. Since sadc is
only executable by group adm, a local attacker would need to use timex
to exploit this. (timex is setgid adm.) So the vulnerability is
really in sadc and that's where the fix was made.

Description: abuse.console in Red Hat 2.1 uses relative pathnames to find and
execute the undrv program, which allows local users to execute
arbitrary commands via a path that points to a Trojan horse program.

Description: Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to
determine the existence of arbitrary files by attempting to execute
the target filename as a program, which generates a different error
message when the file does not exist.

Description: named in ISC BIND 4.9 and 8.1 allows local users to destroy files via
a symlink attack on (1) named_dump.db when root kills the process with
a SIGINT, or (2) named.stats when SIGIOT is used.

Votes:

MODIFY(1) Frech
NOOP(2) Wall, Cole
REJECT(1) Foat

Voter Comments:

Foat> The files get written to /var/named which the user does not have write
access.
Frech> XF:bind-sigint-sigiot-symlink(7366)

Description: (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear
the IFS environmental variable before executing system calls, which
allows local users to execute arbitrary commands.

Description: Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of
service (crash) and possibly execute arbitrary commands via (1) a long
PASS command in the POP3 service, (2) a long HELO command in the SMTP
service, or (3) a long user name in the Control Service.

Description: Management information base (MIB) for a 3Com SuperStack II hub running
software version 2.10 contains an object identifier
(.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community
string, but lists the entire table of community strings, which could
allow attackers to conduct unauthorized activities.

Description: A non-default configuration in TenFour TFS Gateway 4.0 allows an
attacker to cause a denial of service via messages with incorrect
sender and recipient addresses, which causes the gateway to
continuously try to return the message every 10 seconds.

Description: A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows
an attacker to crash the mail server and possibly execute arbitrary
code by offering more than 128 bytes in a MAIL FROM string.

Description: runtar in the Amanda backup system used in various UNIX operating
systems executes tar with root privileges, which allows a user to
overwrite or read arbitrary files by providing the target files to
runtar.

Description: Operating systems with shared memory implementations based on BSD 4.4
code allow a user to conduct a denial of service and bypass memory
limits (e.g., as specified with rlimits) using mmap or shmget to
allocate memory and cause page faults.

Description: Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to
a buffer overflow attack in the MAIL FROM command that may allow a
remote attacker to execute arbitrary code on the server.

Description: ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not
automatically log a user out of the NDS tree when the user logs off
the system, which allows other users of the same system access to the
unprotected NDS session.

Description: IIS 3.x and 4.x does not distinguish between pages requiring
encryption and those that do not, which allows remote attackers to
cause a denial of service (resource exhaustion) via SSL requests to
the HTTPS port for normally unencrypted files, which will cause IIS
to perform extra work to send the files over SSL.

Description: When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in
/scripts/iisadmin, which does not restrict access to the local machine
and allows an unauthorized user to gain access to sensitive server
information, including the Administrator's password.

Description: Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle
200 ARP requests per second allowing a denial of service attack to
succeed with a flood of ARP requests exceeding that limit.

Votes:

MODIFY(1) Frech
NOOP(3) Wall, Foat, Cole

Voter Comments:

Frech> XF:smartswitch-arp-flood-dos(7770)
BID URL should be 821, not 841.

Description: Lynx 2.x does not properly distinguish between internal and external
HTML, which may allow a local attacker to read a "secure" hidden form
value from a temporary file and craft a LYNXOPTIONS: URL that causes
Lynx to modify the user's configuration file and execute commands.

Description: Microsoft SQL Server 6.5 uses weak encryption for the password for the
SQLExecutiveCmdExec account and stores it in an accessible portion of
the registry, which could allow local users to gain privileges by
reading andd decrypting the CmdExecAccount value.

Votes:

ACCEPT(2) Wall, Cole
MODIFY(1) Frech
NOOP(2) Christey, Foat

Voter Comments:

Frech> XF:mssql-sqlexecutivecmdexec-password(7354)
Christey> Need to consult MS on this issue.

Description: Buffer overflow in the login functions in IMAP server (imapd) in
Ipswitch IMail 5.0 and earlier allows remote attackers to cause a
denial of service and possibly execute arbitrary code via (1) a long
user name or (2) a long password.

Description: Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the
login prompt via a CTRL-D (control d) character, which locks other
users out of the switch because it only supports one session at a
time.

Description: Nullsoft SHOUTcast server stores the administrative password in
plaintext in a configuration file (sc_serv.conf), which could allow a
local user to gain administrative privileges on the server.

Description: FreeBSD 3.2 and possibly other versions allows a local user to cause a
denial of service (panic) with a large number accesses of an NFS v3
mounted directory from a large number of processes.

Description: Seapine Software TestTrack server allows a remote attacker to cause a
denial of service (high CPU) via (1) TestTrackWeb.exe and (2)
ttcgi.exe by connecting to port 99 and disconnecting without sending
any data.

Description: Quake 1 and NetQuake servers allow remote attackers to cause a denial
of service (resource exhaustion or forced disconnection) via a flood
of spoofed UDP connection packets, which exceeds the server's player
limit.

Frech> It seems as if the BID-4089 assignment on this CAN name may be
in error.
BID-4089 (Multiple Vendor SNMP Request Handling Vulnerabilities) is
already assigned to CAN-2002-0013. Also, this CVE issue seems to have
nothing to do with SNMP.
Christey> Agreed, this is the wrong BID. SecurityFocus has assigned
BID:643 to CAN-1999-1570, but there's a bit of an
inconsistency. BID:643 alludes to Bugtraq posts in 1999
from Brock Tellier, mentioning overflows in sar via BOTH the
-o and -f parameters. However, they also link this issue to
SCO advisory 99.17, although the advisory itself is too vague
to *really* know what vulns they fixed. And now the link
to a potentially more detailed document (sse037.ltr)
is broken. So we don't have any independent reason for
knowing whether SCO 99.17 (a) addresses any "sar"
vulnerabilities, and (b) even if it does, whether it addresses
*both* the -o and -f arguments originally claimed by Tellier.
Finally, it seems rather curious that CSSA-2002-SCO.17
talks about a -o overflow but does not mention -f.
Sounds like an email to the security people at SCO
is in order...
OK. Having consulted with SCO (who responded quickly), I
looked even further into this issue. There is now sufficient
evidence that the -f overflow was fixed in 1999. This
means that a separate candidate should be created (by
CD:SF-LOC), so the -f overflow is now covered by
CAN-1999-1571.
Need to DELREF BID:4089
CHANGE> [Frech changed vote from NOOP to ACCEPT]

Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two
different versions of aserver have symlink problems, but with
different files. So CD:SF-LOC says we should split this.
Frech> XF:hp-aserver
Christey> BID:1928 and BID:1930? Which one is being described in
this candidate?
Christey> BID:1930

Christey> It's not certain whether this is exploitable or not. An
expert (the linuxconf author?) wasn't able to duplicate the
bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html
The original posting with example exploit was
http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2
However - GIAC and the Security Focus incidents list have
consistently reported that scans are taking place for
linuxconf, so do the hackers know more than we do?
Frech> Unless vendor or other confirmation occurs, there has been no corroboration
of this issue in public forums.
CHANGE> [Armstrong changed vote from ACCEPT to NOOP]

Frech> XF:majordomo-local-resend
Christey> The Bugtraq thread indicates that this problem may be
due to misconfiguration, and may extend beyond just the
resend command.
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Christey> Include "wrapper" to facilitate search and matching? (but
double-check CAN-2000-0037).
Add "1.94.4 and earlier" as the affected version number.
ADDREF AUSCERT:AA-2000.01
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01
Cox> ADDREF REDHAT:RHSA-2000:005

Description: Buffer overflow in Winamp client allows remote attackers to execute
commands via a long entry in a .pls file.

Votes:

ACCEPT(2) Wall, Cole
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> XF:winamp-playlist-bo
Christey> This may have been discovered earlier in:
BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2
See the following for possible confirmation:
URL:http://www.winamp.com/getwinamp/newfeatures.jhtml
Wall> This vulnerability has been seen in several versions of Winamp and part of ISS
X-Force
and SecuriTeam vulnerability checks.
CHANGE> [Christey changed vote from NOOP to REVIEWING]

Frech> XF:sol-chkperm-bo(3870)
Dik> chkperm runs set-uid bin, so initially the access granted
will be user bin, not root. (Though bin access can easily be leveraged
to root access, less so in Solaris 8+)
Also, there is reason to believe this bug is not exploitable; the buffer
overflown is declared in the stack in main(); yet, the program never
returns from main() but calls exit instead so any damage to return addresses
is never noticed.

Description: Network HotSync program in Handspring Visor does not have
authentication, which allows remote attackers to retrieve email and
files.

Votes:

MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Frech> XF:handspring-visor-auth(3873)
Consider removing the security-express.com reference, since it is identical
to the BugTraq reference. The BugTraq reference is (hopefully) not going to
disappear soon, and the security-express.com reference provides no new or
additional information.
Christey> URLs will begin to be included with candidates to support
Board members' voting activities. They will be converted to
the generalized reference format when if candidate is
ACCEPTed and becomes an official entry.
Christey> The problem may not be a lack of authentication (as mentioned
by the poster), but rather weak authentication (the apparent
need to provide the same username).

Description: Internet Explorer 5 does not modify the security zone for a document
that is being loaded into a window until after the document has been
loaded, which could allow remote attackers to execute Javascript in a
different security context while the document is loading.

Votes:

MODIFY(2) LeBlanc, Frech
REJECT(1) Christey

Voter Comments:

Frech> XF:ie-cross-frame-docs(3901)
LeBlanc> - I'd like to see a KB or bulletin referenced
Christey> This is a duplicate of CVE-2000-0156. The FAQ at
http://www.microsoft.com/technet/security/bulletin/fq00-009.asp.
says "the vulnerability requires Active Scripting" and
"it is possible, under very specific conditions, to violate IE's
cross-domain security model." Also says "the redirect is made, via
the <IMG SRC> HTML tag"
Need to copy these references over to CVE-2000-0156.

Description: IIS 4.0 allows a remote attacker to obtain the real pathname of the
document root by requesting non-existent files with .ida or .idq
extensions.

Votes:

ACCEPT(2) Levy, LeBlanc
MODIFY(1) Frech
REJECT(1) Christey

Voter Comments:

Frech> XF:iis-ida-idq-paths
Christey> Consider adding:
ADDREF BID:1065
BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0
Are there really 2 different threads on the same problem?
Also consider XF:iis-root-enum
May also be a dupe of CAN-1999-0450 (BID:194)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Appears to be a duplicate of CVE-2000-0098. Confirm with
Microsoft, and if it is a duplicate, then REJECT this
candidate.
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Confirmed duplicate by Microsoft.
Christey> iis-ida-idq-paths(4346) is obsolete; ensure
http-indexserver-path(3890) is added to CVE-2000-0098.

Frech> XF:plusmail-password-permissions
Christey> Re-read the Bugtraq post to make sure the problem is described
properly. The advisory itself is vague as to the nature of
the problem, and the exploit doesn't help clarify too much.
Christey> Consider adding BID:2653

Description: The October 1998 version of the HP-UX aserver program allows local
users to gain privileges by specifying an alternate PATH which aserver
uses to find the ps and grep commands.

Votes:

MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is October 1998 equivalent to HP-UX 10.x?
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CAN-2000-0005 and CAN-20000-0078.

Description: The June 1999 version of the HP-UX aserver program allows local users
to gain privileges by specifying an alternate PATH which aserver uses
to find the awk command.

Votes:

ACCEPT(1) Prosser
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is June 1999 equivalent to HP-UX 10.x?
Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series. According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical). So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CAN-1999-0005(the 98 version of Aserver) or CAN-2000-0078 (the 99 version)and should take appropriate action. No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CAN-2000-0005 and CAN-20000-0077.

Description: The W3C CERN httpd HTTP server allows remote attackers to determine
the real pathnames of some commands via a request for a nonexistent
URL.

Votes:

MODIFY(1) Frech
NOOP(2) Williams, Christey
RECAST(1) LeBlanc

Voter Comments:

Frech> XF:w3c-httpd-reveal-paths
LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which
one is broken?
Christey> The mention of CERN httpd was buried in a followup on a
description of an IIS problem, so this is the correct reference.

Description: Hotmail does not properly filter JavaScript code from a user's
mailbox, which allows a remote attacker to execute the code by using
hexadecimal codes to specify the javascript: protocol,
e.g. j&#x41;vascript.

Frech> XF:cuteftp-weak-encrypt(3910)
Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2
This followup to a different thread mentions the sm.dat file
for the site manager.

Cole> I would combine all of these shopping cart applications into one listing,
since they all have the same vulnerability being able to modify sensitive
purchase information via hidden form fields. My concern is in cases like
this we used over 10 entries for basically the same vulnerability. I could
think of cases were there could be 20+ applications with the same
vulnerability and in my opinion it could start to weaken the value of CVE
where there are 30 entries all referring to the same thing. It is almost
like we are playing the vendor game where more is better. I think we
should go after the quality over quantity aspect.
Christey> I disagree with Eric here. This vulnerability is a "type" of
problem in the same way that a buffer overflow is a "type" of
problem. While the shopping cart application bugs were
proposed mostly at the same time, they are all by different
vendors.
The raw numbers of applications with this problem can make it
appear that CVE is artificially inflating the number of
entries. However, content decisions such as CD:SF-LOC
(different lines of code) dictate that these should be
separated. It's not a "numbers game" but rather a principled
and consistent approach to resolving problems with
selecting a level of abstraction.
Frech> XF:shopping-cart-form-tampering

Description: Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers
to view a user's email messages via a script that accesses a variable
that references subsequent email messages that are read by the client.

Votes:

ACCEPT(2) Wall, Cole
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> email-active-script-html
Christey> Acknowledged via personal communication with Microsoft
personnel, but I need to look through my email logs to recall
whether they said that it is a duplicate of CAN-2000-0653
CHANGE> [Christey changed vote from NOOP to REVIEWING]

Description: IIS allows local users to cause a denial of service via invalid
regular expressions in a Visual Basic script in an ASP page.

Votes:

ACCEPT(1) Cole
REJECT(2) Frech, LeBlanc
REVIEWING(1) Wall

Voter Comments:

Frech> This reference to NTBugtraq has a message that ends with "Can anyone
reproduce this?", and there are no followups. This makes for a weak
reference. There are also no other references listed for this CAN.
LeBlanc> - no follow-ups, no KB article, no fix
CHANGE> [Frech changed vote from REVIEWING to REJECT]

Description: The Red Hat Linux su program does not log failed password guesses if
the su process is killed before it times out, which allows local
attackers to conduct brute force password guessing.

Votes:

ACCEPT(3) Levy, Cole, Baker
MODIFY(1) Frech
NOOP(2) Wall, Christey

Voter Comments:

Frech> Is this the same issue as BugTraq Mailing List, Wed, 9 Jun 1999 14:07:27
-0700 "vulnerability in su/PAM in redhat" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=5356 and
"Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=6051
If so, then MODIFY XF:su-brute
Christey> BID:320
URL:http://www.securityfocus.com/vdb/bottom.html?vid=320
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:su-brute(2278)
This issue involves more platforms than Red Hat. See BugTraq
Mailing List, Thu Jun 10 1999 12:13:06, "Solaris 2.5 /bin/su [was:
vulnerability in su/PAM in redhat]",
http://www.securityfocus.com/archive/1/14854
Christey> It does look like this is the same issue as the other Bugtraq
post that explicitly mentions Red Hat and PAM.

Description: The default configurations for McAfee Virus Scan and Norton Anti-Virus
virus checkers do not check files in the RECYCLED folder that is used
by the Windows Recycle Bin utility, which allows attackers to store
malicious code without detection.

Description: Frontpage Server Extensions allows remote attackers to determine the
physical path of a virtual directory via a GET request to the
htimage.exe CGI program.

Votes:

ACCEPT(3) LeBlanc, Wall, Cole
MODIFY(1) Frech
NOOP(1) Christey

Voter Comments:

Frech> XF:ms-frontpage-get-htimage
Christey> It appears that this was rediscovered in April 18, 2000:
BUGTRAQ:20000418 More vulnerabilities in FP
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D38FCAC0C.869611C0%40hobbiton.org
This in turn may match BID:1141
Christey> According to Scott Culp of Microsoft, this was patched in MS:MS00-028.
Christey> BID:1141 ??

Frech> XF:iis-dir-traversal-read
Christey> This may be a variant of CVE-2000-0097 or CVE-2000-0098.
MS:MS00-006 says that a new variant was announced on February 4,
but that it only revealed the physical path. The post related
to this CAN is dated February 2, but it describes the impact
as being able to read files.
See http://marc.theaimsgroup.com/?l=bugtraq&m=94972759912790&w=2
Christey> According to Mark Burnett: "CISADV000202 [described] idq.dll
and involving .idq files... IDQ files are vulnerable to a
double-dot bug that allows files on the same partition as the
web root to be viewed.... [This candidate] refers to the same
MS00-006"
ADDREF MS:MS00-006
ADDREF BID:968 ?
Frech> Change iis-dir-traversal-read(4014) to http-indexserver-view-files(4232)

Frech> XF:win-shortcut-api-bo
The real problem seems to be with the Windows API call, not the Serv-U FTP
app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference
states, [The bug can] "cause whatever handles the shortcuts to crash."
As a suggestion, rephrase the description from Windows's context, and state
that the Serv-U FTP server is an example of an app that exhibits this
problem.
Wall> Comment: the original UssrLabs advisory does mention the SHGetPathFromIDList
buffer overflow in a Windows API and that Serv-U FTP uses this API to cause the
problem. The problem does not exist on Windows 2000. The solution seems to be
in a new release of Serv-U FTP.
Levy> BID 970
Christey>
Reports indicate that while the vulnerable function was found in Serv-U FTP
server, the function is actually from Microsoft, and as such may affect other
applications.
XF:win-shortcut-api-bo
BID:970

Frech> How is this different from MITRE:CVE-2000-0162, other than the
fact that it has an MS advisory that's vague on the reason but
has the same outcome, and this one mentions the
getSystemResourceAsStream function?
Christey> This is a duplicate of CVE-2000-0162, as confirmed via David
LeBlanc. The descriptions of CAN-2000-0132 and CVE-2000-0162 were
significantly different, as was the descriptive text of
MS:MS00-011 and the original Bugtraq posting. So this
duplicate wasn't picked up before. CVE-2000-0162 needs to be
modified to include XF:virtual-machine-file-read as a
reference.
LeBlanc> Duplicate
Christey> Ensure that CVE-2000-0162 uses msvm-java-file-read(4024) now,
instead of virtual-machine-file-read(4577)
Frech> If duplicate with CAN-2000-0098, shouldn't the references be
moved over to the valid CVE number? Please advise.
Christey> When CAN-2000-0132 is rejected, the references will be added
to CVE-2000-0098.

Christey> **********************************************************
THIS CANDIDATE HAS GENERATED A LONG THREAD. SEE THE
EDITORIAL BOARD ARCHIVES FOR DETAILS, BEGINNING AT
http://cve.mitre.org/Board_Sponsors/archives/msg00590.html
**********************************************************
Ziese>
I suggest we I'd like to suggest that we consider not tying
specifically to a DDOS tool. Instead, since we are at at higher
abstraction level, that we make the class include those master/slave
tool combinations that are used for malicious purposes (i.e. DDOS,
data exfiltration, or whatever the appropriate classes of effect are).
My concern is that (1) we treat all distributed attacks at the same
abstract level; not just the DDOS ones. Second, if it is at a higher
abstraction level then it seems right to unlimit it (by including
master/slave combinations in general; not just the DDOS asect).
Meunier> I think that trinoo etc... are very similar to smurf attacks
(CVE-1999-0513 ) in the sense that a third party allows itself to be
used. Also, there is an obvious solution that can only be done by
that third party.
As for the CVE entry, I am considering whether the common entry point
could be reduced to "egress filtering has not been implemented or has
been disabled, allowing the sending of spoofed IP packets".
Incidentally, this would prevent the use of decoys in port scans,
etc... This single CVE entry would be very powerful. We could use
the dot notation to list the DDoS tools and attacks that rely on the
absence of egress filtering based on the argument that if you have
egress filtering, nobody will bother to put or use DDoS tools on your
computers.
The weakness of this is that one could in theory still use DDoS tools
even if you have egress filtering -- only they will be one shot guns,
almost completely eliminating their appeal and effectiveness. One
use, and they will be blocked, tracked down and destroyed
efficiently.
Pascal
P.S.: I am attracted by the idea of starting an internet (fire)wall
of shame, for people who haven't implemented egress filtering. It
worked pretty well against sites allowing themselves to be used for
smurf attacks (http://www.powertech.no/smurf/). Why not use the same
strategy for egress filtering? Of course it's hard to know who is
the source of IP spoofed packets. However the consistent detection
of crud originating from a server is a sure sign that they haven't
implemented egress filtering. For example (my first candidate to
this wall of shame), this weekend the Linux suse ftp server sent many
packets with an illegal ip address as source, one reserved for local
area networks, upon making an ftp connection (it may still be doing
it, I haven't checked since -- the suse ftp admin mentioned that they
were aware of it). It was easy to figure out it was them by
repeating the ftp connections and observing the 100% reproducibility
and time correlation of the extraneous packets. In addition, the
suse servers kept sending me crud for *hours* after a failed attempt
to download their PPC beta.
The cost of egress filtering is easily justified. The argument is
similar to those relating to pollution, excepted that people don't
try to break into your car if you have removed the catalytic
converter.
Bishop> I need to think about the exact meaning of MP. I suspect I
will agree with the classification, on an operational basis
(meaning I may want to revisit it), but I want to think on it
some more.
Blake> I don't agree with Pascal that this is a filtering problem analogous to
smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
any unique vulnerability directly. It's presence is entirely predicated
on the existence of at least one other, easily exploited vulnerability.
>From the perspective of the system owner, this is just one of several
backdoors that could be installed. Seems to me that the presence of a
known backdoor package should be considered a vulnerability (or at least
an exposure).
I'm really torn on whether or not to split them out, though. My
inclination is to group master and slave by package; i.e., trinoo
master/slave, tfn master/slave, etc.
Wall>
Just to be consistent, you may add Trinoo (trin00) and does it matter
if it is Tribal or Tribe? The original internal c program says Tribe Flood
Network.
Meunier> What they have in common is the use of an amplification mechanism.
They are broadcasting (multicasting) to a (virtual private) network,
which then amplifies the messages. In both cases, the amplification
is done by the third party victim hosts. The difference is just that
the network is virtual instead of physical.
Scott, you are assuming that the people who have the tools installed
are unwilling. Let's say theoretically speaking that there is an
underground hacker group (or student association) who is hooked up to
DSL lines (like in university residences) and who thinks that it
would be "cool" to form an "army". How about a popular civil
movement protesting something, like the WTO last summer? I think
some people would voluntarily "enlist" their computers in a cause
that would use DDoS attacks. The rootkit analogy does not hold, yet
the DDoS attacks could be just as effective. However, if the
university or ISPs implemented egress filtering, the DDoS attacks
could be easily stopped because the people could be held accountable.
The crux of the matter is the anonymity provided by IP spoofing.
You are correct that in most cases, having a DDoS tool installed on
your system is an exposure like rootkit. Maybe that deserves a CVE
entry. However, I think that does not capture the nature of the
DDoS, and that an entry about egress filtering is of utmost
importance because it patches a fundamental vulnerability of IPv4.
Blake> Excellent response, Pascal, thanks. I hadn't thought of people
volunteering, but that's certainly a plausible scenario. Part of my
motivation/thinking was a desire to stay away from making this into only
yet another use for spoofed IP packets. I wholeheartedly agree that
egress filtering essential, but am reluctant to single out the recent DDoS
events as the reason for it.
I'd prefer to split out egress filtering as a seperate CVE entry (on the
theory that not using egress filtering constitutes an exposure -- at least
to liability), rather than tying it to these entries.
Levy> I agree with Scott for no other reason that there needs to be a CVE
ID so that IDS systems can report this things.
Are we going to start handing out CVE ids for low level design faults?
E.g. lack of encryption at the IPv4 packet level? lack of resource
allocation protocols? the used of DES instead of Triple DES? etc
Shostack> Both excellent points, however, I'd like to add that even if people
volunteer to host the tools, Trinoo and company allow the controlling
attacker to hide activities, which counts as an exposure under
http://cve.mitre.org/About_CVE/About/definition.html
Cole> Even with all of the debate i accept this one.
Christey> With respect to inclusion of design flaws in CVE, review
http://cve.mitre.org/Board_Sponsors/archives/msg00602.html
Other design flaws that have already been added to CVE
include Smurf (CVE-1999-0513), Fraggle (CVE-1999-0514)
and TCP sequence number prediction (CVE-1999-0077), although
this last one may need to be RECAST to a lower level of
abstraction.
CHANGE> [Meunier changed vote from REVIEWING to RECAST]
Meunier> In the sense that this is like a rootkit, then it is a
duplicate of CAN-1999-0660, "A hacker utility or Trojan Horse is
installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc..."
It should be recast as CAN-1999-0660.1 DDoS tools
Other dot notations could indicate different effects of the tools.
Dik> There doesn't seem to be much to add to the
discussion.

Description: The SSH protocol server sshd allows local users without shell access
to redirect a TCP connection through a service that uses the standard
system password database for authentication, such as POP or FTP.

Frech> XF:ssh-redirect-tcp-connection
CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
Christey> Examine the thread at
http://marc.theaimsgroup.com/?l=bugtraq&m=95055978131077&w=2
to ensure that this problem is being characterized
appropriately.
Levy> SSH is working as designed. The fact that some of its interactions
are not forseen by some is not a vulnerability.

Frech> XF:gnu-makefile-tmp-root
(We have made assignment to two CANs. Requesting confirmation that this is
not a duplicate of CAN-2000-0092: The BSD make program allows local users to
modify files via a symlink attack when the -j option is being used.)
Christey> To confirm Andre's question, this is being treated as
different from CAN-2000-0092, based largely on the fact
that the exploit is different. I believe there was
another reason for keeping these distinct, but that
"deeper analysis" was not recorded :-( While it's possible
that this is the same bug from some common version of make,
in the absence of other information we should probably
keep these two split.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Taking a fresh look at the diff's for FreeBSD make:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
And Debian make:
http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz
OK... now that I've hurt my brain looking at the code, while
there are major differences in the surrounding code,
ultimately both FreeBSD and Debian create an "outfile" file
descriptor for the temporary file, within main() in main.c.
In addition, child_execute_job() in job.c uses an outfile
variable - for both sources.
Perhaps FreeBSD reported the -j problem without seeing that it
could come in from stdin as well, and/or Debian/etc. didn't realize
that it was exploitable from job control, or maybe a combination of
the two. Regardless, the two problems are the same.
Phew! There goes a half-hour of my life that I'll never be
able to get back...

LeBlanc> I think this is the same as
http://www.microsoft.com/technet/security/bulletin/ms99-010.asp
If that is true, and you already have it logged, we don't want to have an
entry for the same bug.
Christey> MS:MS99-010 describes CVE-1999-0386. Are there sufficient
details to ensure that this is the same problem?
See http://www.securityfocus.com/templates/archive.pike?list=1&msg=01bae51a$9ab232b0$0100007f@nordnode
Frech> XF:pws-file-access
(We currently have this issue assigned to this CAN and to CVE-1999-0386. I
see that others have similar concerns that this is a duplicate; please
confirm on current status of this candidate.)
Christey> [note to self: review comments by Mark Burnett]

Description: The Microsoft Active Setup ActiveX component in Internet Explorer 4.x
and 5.x allows a remote attacker to install software components
without prompting the user by stating that the software's manufacturer
is Microsoft.

Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some
clarifications, specifically that the code that is executed
*must* be signed by Microsoft.
See BUGTRAQ:20000222 MS signed softwrare privileges
Microsoft sends some followups, including a statement that it
will include notification.
The question is, does this belong in CVE? There is no known
means of exploitation; on the other hand, it is related
to privacy concerns. Several posts to the Bugtraq list
indicate that some people believe that unprompted installation
is a significant concern.
Frech> XF:win-active-setup
Levy> BID 999
I do consider this vulnerability as it allows a malicious web page
to install *old* and *vulnerable* components signed by microsoft.
LeBlanc> Fixed in MS00-042
Christey> BID:999
Also add XF:ie-active-setup-download ?

Phase: Proposed (20000223)Reference: NTBUGTRAQ:20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directoryReference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0002&L=ntbugtraq&F=&S=&P=8800

Description: IIS Inetinfo.exe allows local users to cause a denial of service by
creating a mail file with a long name and a .txt.eml extension in the
pickup directory.

Prosser> Although SCO is reporting the problem, there is too little info
available to make an informed decision. Unable to find anything
anywhere on this. It is an events logging system, so one would assume
that there is a way to fill up the log and cause a system halt, but no
way of confirming this with limited information.
Christey> Perhaps we should create a content decision, say
CD:VAGUE-ACK, which says whether it's reasonable to
ACCEPT vendor-acknowledged problems that do not provide any
salient details, as in this candidate as well as several
others.
Cole> I researched this a little more and you can change my NOOP to an
ACCEPT
Frech> XF:sco-eels-dos

Christey> Since EZShopper is written in Perl, there is strong evidence
that both the .. and metacharacter attack probably go
through the same insecure open() call. (Perl's open can
either read a regular file, or read piped output from
a command that is specified to the open).
Frech> XF:ezshopper-loadpage-cgi(4044)

Christey> The exploit is different than CAN-2000-0187 by going through
a different field in a different script, so maybe this should
be kept separate, even though it's probably another open()
call problem.
Frech> XF:ezshopper-search-cgi(4045)

Description: The Windows NT scheduler uses the drive mapping of the interactive
user who is currently logged onto the system, which allows the local
user to gain privileges by providing a Trojan horse batch file in
place of the original batch file.

Description: When a new SQL Server is registered in Enterprise Manager for
Microsoft SQL Server 7.0 and the "Always prompt for login name and
password" option is not set, then the Enterprise Manager uses weak
encryption to store the login ID and password.

LeBlanc> I think this may just be user error - I'd like more information.
Frech> XF:mssql-weak-encryption
ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID
URL:http://xforce.iss.net/alerts/advise45.php3
Christey> According to Scott Culp, this can only be reproduced if the
SQL server is running in an unsafe mode that is not
recommended by Microsoft: "To securely use SQL Server,
Microsoft recommends using Windows Integrated Security. In
Windows Integrated Security mode passwords are never stored,
as your Windows Domain sign-on is used as the security
identifier to the database server."
We still must consider approving this candidate, however, as a
user configuration error instead of a software flaw.
CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we
decide to include configuration problems in which a user
intentionally selects weak encryption, then we might still
approve this candidate.

Description: Microsoft email clients in Outlook, Exchange, and Windows Messaging
automatically respond to Read Receipt and Delivery Receipt tags, which
could allow an attacker to flood a mail system with responses by
forging a Read Receipt request that is redirected to a large
distribution list.

Blake> This is a configuration issue. Should the fact that NT can be configured
to accept a blank Admin password have a CVE entry?
LeBlanc> This is documented as bad practice - if you have a wide distribution
mailing list, you should only allow certain users to send mail to it.
I don't think we want to start listing all possible admin errors as
vulnerabilities.
Frech> XF:microsoft-mail-client-dos(4893)
Levy> I agree with all the above comments. Furthermore the delivery status
notification RFC makes it clear that mailing list software should
strip messages from DSN headers. I assume Microsoft's products are
using the DSN standard and not something else.

Ozancin> We need an additional CVE entry for other distributions that simply drop you
into a root shell in single user mode.
Christey> Based on Craig's comments, need to consider if this is an LOA
issue.
Frech> XF:redhat-single-user-auth(4026)

Blake> Discussion on Bugtraq shows that this is a really marginal issue. Very
tough to come up with a viable attack scenario. Also, it's part of how
this class of software works, not a flaw in the cited package. Might be
possible to recast this into something more generic....
Frech> XF:zonealarm-exposes-info

Description: The Linux 2.2.x kernel does not restrict the number of Unix domain
sockets as defined by the wmem_max paremeter, which allows local users
to cause a denial of service by requesting a large number of sockets.

Christey> Fix typo: 'paremeter'
Magdych> I remember when this came up... seems like there were some wildly
mixed results for the exploit.
Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
for Elias' summary of the mixed results. It looks like
enough people were able to replicate it that we should
include it.
Christey> Fix typo: "paremeter"
CHANGE> [Magdych changed vote from REVIEWING to NOOP]

Frech> Violation of fundamentum divisionis (that is, it's more than one issue) and
a potential nitpick:
- windmail-fileread: allows remote attackers to read arbitrary files
- windmail-pipe-command: execute commands via shell metacharacters
- The conjunction 'or' should be 'and', if you decide to stick with one CAN.
Christey> As Andre basically said without naming content decisions,
CD:SF-LOC says this should be split.
HOWEVER - the author of the product says that WindMail isn't
supposed to be a CGI script, and says that the pipe
character problem is not related to Geocel. So should CVE
record when someone runs a program that wasn't intended to
be a CGI? There may be a level of abstraction issue here.
Note that Perl and shell interpreters in CGI-BIN are
already mentioned in CAN-1999-0509. If we want to include
"using a program that wasn't designed to be a CGI" as a
problem, we should have a separate candidate.
See the author's comments at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com
which also claims that the original announcer hasn't provided
any more details after the author was unable to reproduce the
problem.
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> After reviewing the author's comments, I'm inclined to think that this is more of a misconfiguration than a vulnerability.

Christey> Typo fix: change "passowrd" to "password"
ADDREF BID:1148
ADDREF URL:http://www.securityfocus.com/bid/1148
Christey> ADDREF XF:piranha-default-password
Frech> XF:piranha-default-password
In description, passowrd should be password.
Cox> The "execute arbitrary commands" part is a seperate vulnerability,
already assigned CVE-2000-0322. The package was designed to have no
password on installation, so "backdoor" does not apply. When users
install Piranha they are expected to add a password to the web
administration GUI, it's a documented part of the procedure. "The web
GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux
Piranha package installs with a default password" is accurate if it
qualifies as an exposure.
Christey> BUGTRAQ:20000425 piranha default password/exploit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95668829621268&w=2
Default accounts/passwords need to be accounted for in CVE,
but the question is what level of abstraction to use - a
separate CVE for each password, or one CVE for all passwords,
or somewhere in the middle? That is the crux of CD:CF-PASS.

Description: Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and
98 Server Extensions allow a user to conduct activities that are not
otherwise available through the web site, aka the "Server-Side Image
Map Components" vulnerability.

Description: The default permissions for the Cryptography\Offload registry key used
by the OffloadModExpo in Windows NT 4.0 allows local users to obtain
compromise the cryptographic keys of other users.

Description: Internet Explorer 5.01 allows remote attackers to bypass the cross
frame security policy via a malicious applet that interacts with the
Java JSObject to modify the DOM properties to set the IFRAME to an
arbitrary Javascript URL.

Description: Emacs 20 does not properly set permissions for a slave PTY device when
starting a new subprocess, which allows local users to read or modify
communications between Emacs and the subprocess.

Votes:

ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Christey

Voter Comments:

Christey> ADDREF XF:emacs-local-eavesdrop
Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
Frech> XF:emacs-local-eavesdrop
Christey> ADDREF MANDRAKE:MDKSA-2000:088 ?
Also http://www.securityfocus.com/bid/2164, but is that a
duplicate of BID:1125?

Description: CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a
user's PIN number, which allows an attacker with access to the .PDB
file to generate valid PT-1 tokens after cracking the PIN.

Description: Buffer overflow in the Napster client beta 5 allows remote attackers
to cause a denial of service via a long message.

Votes:

NOOP(2) Wall, Cole
REJECT(3) Frech, Levy, Baker

Voter Comments:

Frech> Does not meet CVE candidate requirements. The problem was remedied on the
server end, and no fault exists at the client. Based on
http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html:
Approximately one hour after receiving the post from BugTraq,
Napster's servers were patched to prevent this from occurring.
Users of the Napster Win32 client software are NOT vulnerable.
Baker> Agree with Andre

Description: X fontserver xfs allows local users to cause a denial of service via
malformed input to the server.

Votes:

MODIFY(1) Frech
NOOP(2) Wall, Cole
REJECT(2) Levy, Christey

Voter Comments:

Frech> XF:redhat-fontserver-dos
POTENTIAL DUPE: CAN-2000-0263: The X font server xfs in Red Hat Linux 6.x
allows an attacker to cause a denial of service via a malformed request.
Christey> As Andre observed, this is a duplicate of CAN-2000-0263.

Frech> XF:http-cgi-infonautics-getdoc
Christey> CD:EX-ONLINE-SVC applies here. This may be a vulnerability in
an online service (the search engines used by Infonautics)
which poses no risk to anyone but the company itself.

Description: aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow
local users to delete arbitrary files by creating files whose names
include spaces, which are then incorrectly interpreted by aaa_base
when it deletes expired files from the /tmp directory.

Christey> ADDREF XF:webobjects-post-dos
Frech> XF:webobjects-post-dos
Christey> See http://til.info.apple.com/techinfo.nsf/artnum/n75087
Document says:
"A request with a large, malformed http header can crash a WOApp"
(Apple reference #2470254) appears to be the acknowledgement needed.
Is this sufficient acknowledgement? This is dated AUgust 24,
but the initial disclosure occurred on April 4.
Christey> BID:1896

Phase: Proposed (20010214)Reference: OPENBSD:19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root.Reference: URL:http://www.openbsd.org/errata25.html#cron

Description: cron in OpenBSD 2.5 allows local users to gain root privileges via an
argv[] that is not NULL terminated, which is passed to cron's fake
popen function.

Votes:

ACCEPT(3) Baker, Cole, Collins
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Frech> XF:cron-sendmail-root(3335)
Seems like this issue is not just OpenBSD, and is described
differently by other vendors:
SuSE Security Announcement #15 Security hole in cron
http://www.suse.de/de/support/security/suse_security_announce_15.txt
Red Hat, Inc. Security Advisory RHSA-1999:030-02 Buffer overflow in
cron daemon
http://www.redhat.com/support/errata/rh52-errata-general.html#vixie-cron
Caldera Systems, Inc. Security Advisory CSSA-1999-023.0 serious security
problem in cron
http://www.calderasystems.com/support/security/advisories/CSSA-1999-023.0.tx
t
All are dated on or around 1999-08-27 to 1999-08-30.
Also, may overlap with CVE-1999-0769: Vixie Cron on Linux systems allows
local users to set parameters of sendmail commands via the MAILTO
environmental variable.
Christey> See Andre's comments, but I believe this is different than
CVE-1999-0769. Also consider CVE-1999-0768 and CAN-1999-0872
(Vixie Cron buffer overflow via MAILTO),

Frech> XF:icradius-username-bo
Every reference I pull up shows the product's name as ICRADIUS. See
http://mysql.eunet.fi/Downloads/Contrib/icradius.README
Christey> In a followup, Alan DeKok (aland@FREERADIUS.ORG) says that
this could occur in other RADIUS servers also; however, the
bug could only be exploited if someone has altered the
configuration file, which shouldn't normally be modifiable
by anyone else.
So, this should be REJECTed since the bug doesn't directly give
anyone else any additional privileges or access.
Christey> Alan DeKok <aland@FREERADIUS.ORG> says it applies to other RADIUS
programs also, *however* since it needs a valid username, only
the RADIUS owner can exploit it by changing the config file. But
if the config file can be written by others - well, that's still
a potential risk, but you've probably got bigger problems then.
- http://marc.theaimsgroup.com/?l=bugtraq&m=95671883515060&w=2
Look at ChangeLog at ftp://ftp.cheapnet.net/pub/icradius/ChangeLog
Possible confirmation in 0.15: "sql_getvpdata now dynamically
allocates buffer sizes for sql queries to avoid over runs"
But that's a bit general.
Alan Kok said that Cistron and other RADIUS servers were affected; the
ICRADIUS changelog says to check the Cistron logs for other possible
bug fixes, since ICRADIUS uses Cistron codebase. Go back to
freeradius.org and find link to Cistron at
http://www.miquels.cistron.nl/radius/
Cistron changelog at http://www.miquels.cistron.nl/radius/ChangeLog It
has different version numbers - go back to ICRADIUS changelog to find
rought equivalents. ICRADIUS 0.15 uses Cistron 1.6.3 patches, so
start from there.
No apparent problems in 1.6.3 or 1.6.4, but 1.6.1 says: "Fix all
strcpy(), strcat(), sprintf() and sccanf() calls for buffer
overflows." So perhaps the problem was fixed then? Or maybe the
vulnerable sscanf() call was missed and/or disregarded because it was
believed that the hostname could be trusted since it came from a
well-controlled configuration file?

LeBlanc> - same as CAN-1999-1011
If I'm misunderstanding something here, please correct me. In fact, it has
the same bulletin as a reference.
Frech> XF:jet-vba-shell
Prosser> This entry is not the same as "now" CVE-1999-1011. That entry is "The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands." This one should be correct.
Christey> BUGTRAQ:19990525 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=bugtraq&m=92765973107637&w=2
NTBUGTRAQ:19990526 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=ntbugtraq&m=92781907215748&w=2
Christey> The Microsoft advisory itself describes two separate
vulnerabilities, calling the TEXT I-ISAM problem
(CVE-2000-0323) a variant of the VBA Shell problem (this
CAN). In addition, CVE-2000-0323 does *not* appear in Jet
4.0, while this one does. Since one problem appears in a
different version than the other, CD:SF-LOC suggests keeping
these candidates SPLIT.
BID:548
http://www.securityfocus.com/bid/548
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Need to clarify whether the Bugtraq/NTBugtraq posts are
really describing the same issue (those are BID:286).

Description: tcpdump, Ethereal, and other sniffer packages allow remote attackers
to cause a denial of service via malformed DNS packets in which a jump
offset refers to itself, which causes tcpdump to enter an infinite
loop while decompressing the packet.

Frech> XF:sniffit-lmail-bo
Christey> This issue was rediscovered.
ADDREF BUGTRAQ:20020119 remote buffer overflow in sniffit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101167452712383&w=2
ADDREF BUGTRAQ:20000525 `sniffit -L mail' vulnerabilities
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928090612990&w=2
I reviewed the patch that was claimed in the 20020119 Bugtraq
post, and it could well address the issue. However, since the
patch is also dated around the time of the original Bugtraq
post, *and* it says that it's addressing an issue that's
discussed on Bugtraq, that is sufficient to establish
acknowledgement.
CHANGE> [Christey changed vote from NOOP to MODIFY]
Christey> XF:sniffit-normmail-l-bo(7933)
URL:http://www.iss.net/security_center/static/7933.php

Levy> Arguably this is not a vulnerability. Cisco replying saying this
is standard behaviour that was simply not well documented. They have
no plans to change it and will simply document it better.
Frech> XF:cisco-online-help
Balinsky> As noted in a bugtraq posting by Lisa Napier from Cisco's Product Security Incident Response Team, this is a poorly documented feature. This is intended behavior, and does not represent a vulnerability in Cisco's opinion.
http://www.securityfocus.com/frames/?content=/templates/archive.pike?list=1&mid=59434
Prosser> Although Lisa Napier did say this issue was "functioning as designed", it was not intended to allow unprivileged access. Lisa did indicate that Cisco would be updating instructions on configuration to ensure proper user privileges. So, this should be considered IMHO an "exposure" vice a vulnerability, but security-related none the less.
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000502222246.28423.qmail@securityfocus.com
http://www.securityfocus.com/bid/1161

Description: The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does
not restrict which file types can be downloaded, which allows an
attacker to download any type of file to a user's system by encoding
it within an email message or news post.

LeBlanc> COMMENT - this definately will not work if the user has applied the security
patch. I don't know whether this repros right now, and have sent a query to
find out.
Christey> Is this now documented in MS:MS00-042?
LeBlanc> the problem isn't in the Active Movie control. What was
observed was a symptom of another problem that got fixed in
some bulletin or another - I don't remember.
Christey> According to Scott Culp, this existed because
the patch for the Cache Bypass vulnerability (MS:MS00-046,
CAN-2000-0621) was not applied, so this should be REJECTed
as a duplicate of CAN-2000-0621.

Description: The gnapster and knapster clients for Napster do not properly restrict
access only to MP3 files, which allows remote attackers to read
arbitrary files from the client by specifying the full pathname for
the file.

Description: The shtml.exe program in the FrontPage extensions package of IIS 4.0
and 5.0 allows remote attackers to determine the physical path of
HTML, HTM, ASP, and SHTML files by requesting a file that does not
exist, which generates an error message that reveals the path.

Prosser> additional source Security BugWare
http://161.53.42.3/~crv/security/bugs/NT/fpse10.html comments on page re:
"MS soon to be released service release OSR 1.2 with needed changes."
I haven't located anything on MS site yet. Anyone help?
Christey> BID:1433 may also refer to this issue.
Christey> [note to self: review comments by Mark Burnett]
Christey> CHANGEREF XF:iis-shtml-reveal-path XF:frontpage-ext-shtml-path(4439)
LeBlanc> Fixes are up on site now - have been for a while.

LeBlanc> The poster re-discovered a vulnerability we patched two years
ago, in
http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
Microsoft posted a response to BugTraq when this one went
public, and reminded them that we'd already patched it.
BTW, I think we want to try and pay attention to follow-ups to
these threads in order to minimize noise in the process.
Christey> Based on David's comments, this is covered by CAN-1999-0002.
However, that candidate may wind up being SPLIT, so I will
keep this one around for the moment.
With respect to watching followups, we are relying quite
a bit on other data feeds instead of doing our own reviews
of all the different data sources. The data feeds may report
these problems as new before corrections are posted.
Followups do often lend additional information to the
candidates, and as is the case with this one, we will
often catch the discrepancy before the candidate becomes an
official entry, whether by MITRE's own analysis or by that
of other Board members.
Frech> XF:outlook-image-long-filename

Description: The default configuration of SYSKEY in Windows 2000 stores the startup
key in the registry, which could allow an attacker tor ecover it and
use it to decrypt Encrypted File System (EFS) data.

LeBlanc> This is not a vulnerability. It is essentially an advisory on best
practices. Also, the description is extremely inaccurate. If I weren't
intimately familiar with the issue, I would not be able to understand it
from this. Syskey, when applied at lower levels, has well-documented
limitations.
Stracener> "..to recover"
Frech> XF:win2k-syskey-default-configuration
Change "tor ecover" to "to recover"

Description: The SuSE aaa_base package installs some system accounts with home
directories set to /tmp, which allows local users to gain privileges
to those accounts by creating standard user startup scripts such as
profiles.

LeBlanc> I have no idea what this one is talking about from the description. I also
don't think it involves "Network Monitor", which is a component of Windows
NT/Windows 2000. This should be clarified.
Frech> XF:big-brother-bbd-bo
Christey> The original advisory, as forwarded to Bugtraq, does not
provide any details, so the description is necessarily vague.
Also, the home page at http://bb4.com has it referring to
itself as "Big Brother System and Network Monitor," so
"Network Monitor" is apparently part of the name of the product.
Change this description to mention version 1.4g, to distinguish
from other Big Brother vulnerabilities.

Description: Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker
to cause a denial of service via a long GET request for a program in
the cgi-bin directory.

Votes:

ACCEPT(1) Levy
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Christey> Appears to be the same as, or similar to, CVE-2000-0011, which was
also discovered by USSR. Comments on the AnalogX web site are
decidedly sparse. In CAN-2000-0011, USSR only claims that
the vendor was informed, so is this still the same problem?
XF:simpleserver-long-url-dos
Frech> XF:simpleserver-long-url-dos(4693)
Please review whether your BUGTRAQ:19991231 reference is correct; seems like
this is the reference to CVE-2000-0011: Buffer overflow in AnalogX
SimpleServer:WWW HTTP server allows remote attackers to execute commands via
a long GET request. They are subtle; almost the only thing that changed was
the version.
A possible reference is "Remote DoS attack in AnalogX SimpleServer WWW
Version 1.05 Vulnerability" at http://www.ussrback.com/labs45.html.

Description: The Protected Store in Windows 2000 does not properly select the
strongest encryption when available, which causes it to use a default
of 40-bit encryption instead of 56-bit DES encryption, aka the
"Protected Store Key Length" vulnerability.

Description: Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and
wdm allows remote attackers to execute arbitrary commands or cause a
denial of service via a long FORWARD_QUERY request.

Wall> This affects more than IE 5.01. See http://www.securityfocus.com/bid/1311 for
all versions of IE that this affects. Works on Windows 98, IE 5.01 and IE 5.5.
LeBlanc> If this is the one I was discussing offline with Steve, ACCEPT
Frech> XF:ie-cross-frame(4610)
Christey> Make sure this is the one I was discussing offline with David :-)
Frech> CAN-2000-0503 was reassigned to ie-frame-domain-file-access(5504) from
ie-cross-frame(4610), which was obsoleted and redirected to this
issue. Since these are the same issues but just described differently,
CAN-2000-0503 appears to be a dupe of CVE-2000-0768.

Description: Microsoft Outlook and Outlook Express allow remote attackers to cause
a denial of service by sending email messages with blank fields such
as BCC, Reply-To, Return-Path, or From.

Votes:

MODIFY(3) Frech, Levy, LeBlanc
NOOP(1) Ozancin
RECAST(1) Wall

Voter Comments:

Levy> There was plenty of people that could not reproduce the problem although
some did. More research (as in actual testing) is probably required.
LeBlanc> This entry does not specify which versions of Outloook are vulnerable, nor
is that clear from the BUGTRAQ record. It is much too broad to say just
"Outlook" when it is definately not all versions of Outlook. The problem
appears confined to some version of Outlook 97, and if I recall correctly,
there has been a patch for this for quite some time.
Frech> XF:outlook-header-dos(4645)
CHANGE> [Wall changed vote from REVIEWING to RECAST]
Wall> UNABLE TO DUPLICATE

Description: OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the
existence of the /dev/random or /dev/urandom devices, which are absent
on FreeBSD Alpha systems, which causes them to produce weak keys which
may be more easily broken.

Description: The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows
remote attackers to cause a denial of service if their hostname does
not have a reverse DNS entry and they connect to port 4000.

Frech> XF;nt-smb-request-dos(4600)
Christey> Consult with Microsoft to see if this is MS:MS00-066
Christey> ADDREF MS:MS00-066
(confirmed offline with David LeBlanc)
Subsequently, add BID:1673 and XF:win2k-rpc-dos(5222)

Frech> XF:sgi-mailx-bo(1371)
CAN-2000-0545 seems to be a dupe of CVE-1999-0125 (Buffer overflow in SGI
IRIX mailx program) since they both allow 'mail' group privileges. There was
no exploit for SGI's vuln to compare.
Christey> Since we are taking a split-by-default approach when
there are insufficient details, we should keep this
separate from CVE-1999-0125. The difference in the
time of discovery is also a factor, even if these wind
up being the same problem. However, there just aren't
enough details to be sure if this is the same problem or not.
Christey> On June 25, 1998, a buffer overflow in mailx via the HOME
environmental variable was posted at:
BUGTRAQ:19980625 security hole in mailx
http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125955&w=2
This affected multiple OSes.
SGI:19980605-01-PX (CVE-1999-0125) was published on September
29, 1998; while the advisory is short on details, it does
mention a buffer overflow.
So, there's enough distinction here (time and what gets
exploited) to say that these should remain split; but
CVE-1999-0125 likely needs to be RECAST to mention other
affected OSes.

Levy> What do others think? Should this be a vuln? I can see the argument
that some features are simply not available unless you use the maximum
security settings.
Christey> At the very least, this needs to be modified to state that
this problem/concern applies to high ports in general, not
just Back orifice.
The Bugtraq poster claims that BlackICE "shuts down" the port,
but only *after* some initial traffic "leaks" out. This may
be by design, but it does mean that there is a small window
of opportunity in which BlackICE may not work "as
advertised," even at lower security settings.
Christey> XF:blackice-security-level-nervous
BID:1389
Frech> XF:blackice-security-level-nervous(4777)
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> I accept it more as a security exposure, than a real vulnerability.
It performs just as any other "firewall" or IDS product can be configured to
allow traffic without notifying the user. You can adjust settings on
any product that allow traffic that other people or organizations would
find unacceptable. So, as long as it is reflected that this is more of
a configuration that allows such traffic as opposed to a defective
or improperly functioning software issue, I don't have a problem with
it.

Description: The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier
and the Microsoft virtual machine (VM) for MacOS allows a malicious
web site operator to connect to arbitrary hosts using a HTTP
redirection, in violation of the Java security model.

Christey> Confirmed by Scott Culp, but this only applies to
outdated/unsupported versions of the JVM.
Frech> XF:macos-java-security-ignored(5052)
Christey> Consult with Microsoft to ensure that this is fixed by
MS:MS00-059. If so, then this might not just be in MacOS.

Description: FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do
not properly cleanse untrusted format strings that are used in the
setproctitle function (sometimes called by set_proc_title), which
allows remote attackers to cause a denial of service or execute
arbitrary commands.

Christey> CD:SF-CODEBASE applies here. There are many ftpd's that
have this setproctitle() problem, but it might be traced
back to the same codebase. See if the HP problem is the
same here as well, and if so, ADDREF HP:HPSBUX0007-117
URL:http://www.securityfocus.com/templates/advisory.html?id=2404
Frech> XF:ftp-setproctitle-format-string(4908)
BID:1438 does not exist.
Christey> ADDREF HP:HPSBUX0007-117??
http://archives.neohapsis.com/archives/hp/2000-q4/0020.html
Christey> ADDREF BID:650 ?

Description: SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in
/tmp with predictable file names, which could allow local users to
insert malicious contents into these files as they are being compiled
by another user.

Description: Windows 2000 Server allows remote attackers to cause a denial of
service by sending a continuous stream of binary zeros to various TCP
and UDP ports, which significantly increases the CPU utilization.

LeBlanc> Insufficient data. Most of their claims are not reproducible. You can,
however, DoS the telnet server this way. As far as I know, there is no repro
on any of the other ports. I am not sure of fix status at this time
(7/19/00). Also overlaps with CAN-2000-0581
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CAN-2000-0581.
Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823)

Description: Buffer overflow in fld program in Kanji on Console (KON) package on
Linux may allow local users to gain root privileges via an input file
containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.

Christey> This problem appears in AMaViS as well, so they may be the
same codebase. If so, then CD:SF-CODEBASE says to merge the
two (thus ADDREF BID:1461). If they are not the same
codebase, then create a separate candidate for BID:1461.
Frech> XF:linux-tnef-email-overwrite(4915)
CHANGE> [Magdych changed vote from REVIEWING to NOOP]

Frech> XF:alibaba-get-dos(4934)
Christey> This is in a relatively old Nessus plugin, though the exploit
uses POST instead of GET. This was probably discovered
earlier than the references indicate.
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Wall> Found by Arne Vidstrom and found in multiple sources
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> See the POST comment in
http://marc.theaimsgroup.com/?l=bugtraq&m=94182951012884&w=2
Also see http://marc.theaimsgroup.com/?l=bugtraq&m=94191318721834&w=2
One poster says that a large number of sites are running
Alibaba (based on a netcraft report), but I'm not 100%
sure Netcraft's doing a good job of identifying Alibaba
servers.

Description: WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
service by using the RESTART (REST) command and writing beyond the end
of a file, or writing to a file that does not exist, via commands such
as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).

Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
Change description to point out that the internal IP address
exposure is due to the default configuration as opposed to
a bug.
Frech> XF:iis-internal-ip-disclosure(5106)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are two variants of the same type of issue here. The
KB article shows that IIS 4.0 reveals the IP address in a
Content-Location MIME header field. The NTBugtraq article
says that the IP address is shown in the WWW-Authenticate
MIME header. Which one has been fixed, or both, and when?
Christey> MSKB:Q218180 identifies a problem in which IIS returns the
info in a Content-Location header, but the authentication
realm problem is not specifically mentioned. Are these the
same problem?

Frech> Is this a duplicate of CAN-2000-0105? I can find no differentiating evidence
to show that this issue is unique.
Christey> I need to look through my email logs to recall whether I
resolved this potential duplicate with Microsoft people.
CHANGE> [Frech changed vote from REVIEWING to REJECT]

Frech> XF:linux-gpm-gpmctl-dos(5010)
We show this issue to be cross-Linux-platform and not Caldera specific. May
also be a LOA issue or duplicate or specific instance of CAN-2000-0531. This
position is further validated by BID-1512 and BID-1377, which lists this as
a Conectiva Linux/Mandrake issue and list Mandrake:MDKSA-2000:025 in common.
We will list both CVEs under the listed XF tag unless otherwise instructed.
Christey> ADDREF Conectiva?
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0396.html
Christey> ADDREF REDHAT:RHSA-2000:045-01
ADDREF BUGTRAQ:20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - GPM
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96473014104340&w=2
Another possible reference is:
BUGTRAQ:20000728 MDKSA:2000-025 gpm update
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96480812908563&w=2
although the advisory is not explicit. It also refers to
CAN-2000-0531.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Per Andre Frech's comments.

Description: Subscribe Me LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the
subscribe.pl script with the setpwd parameter.

Description: Account Manager LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the amadmin.pl
script with the setpasswd parameter.

Votes:

ACCEPT(2) Levy, Cole
MODIFY(1) Frech
NOOP(2) Wall, Christey

Voter Comments:

Frech> XF:account-manager-overwrite-password
In description, you probably want to indicate both Account Manager LITE and PRO.
Because CONFIRM redirects, you may want to verify and normalize to http://www.cgiscriptcenter.com/acctman/index2.html.
Christey> XF:account-manager-overwrite-password
http://xforce.iss.net/static/5125.php
Frech> XF:account-manager-overwrite-password(5125)

Description: The faxrunq and faxrunqd in the mgetty package allows local users to
create or modify arbitrary files via a symlink attack which creates a
symlink in from /var/spool/fax/outgoing/.last_run to the target file.

Frech> XF:realsecure-rskill-dos
Christey> CHANGEREF XF:realsecure-rskill-dos to XF:realsecure-frag-syn-dos?
http://xforce.iss.net/static/5133.php
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> In an email to issforum@iss.net on September 7, 2000, ISS says
that Network Sensor 3.2.2 is affected by SYN flooding, but
RealSecure 5.0 is not affected by Syn flooding. In addition,
they could not find conclusive evidence that RS 3.2.2 or 5.0
was affected by IP fragmentation. This seems to indicate
that there are 2 *possible* problems: syn flooding (acknowledged
by ISS) and fragmentation (unconfirmed). Perhaps this
candidate needs to be split, or its description should be
rewritten to separate the 2 reported problems.
Frech> XF:realsecure-rskill-dos(5133)

Description: The administration interface for the dwhttpd web server in Solaris
AnswerBook2 does not properly authenticate requests to its supporting
CGI scripts, which allows remote attackers to add user accounts to the
interface by directly calling the admin CGI script.

Description: The shtml.exe component of Microsoft FrontPage 2000 Server Extensions
1.1 allows remote attackers to cause a denial of service in some
components by requesting a URL whose name includes a standard DOS
device name.

Description: Helix GNOME Updater helix-update 0.5 and earlier does not properly
create /tmp directories, which allows local users to create empty
system configuration files such as /etc/config.d/bashrc,
/etc/config.d/csh.cshrc, and /etc/rc.config.

Description: Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user replies to a message.

Description: Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user forwards a message.

Description: Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against
cross-site scripting (CSS) attacks. They allow a malicious web site
operator to embed scripts in a link to a trusted site, which are
returned without quoting in an error message back to the client. The
client then executes those scripts in the same context as the trusted
site, aka the "IIS Cross-Site Scripting" vulnerabilities.

Votes:

ACCEPT(3) Levy, Wall, Cole
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Christey> Make sure both BID's are appropriate
XF:iis-cross-site-scripting
http://xforce.iss.net/static/5156.php
Frech> XF: iis-cross-site-scripting(5156)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> A re-release of MS:MS00-060 indicates that a new variant of
this problem was discovered, but the advisory does not
provide sufficient details to distinguish it from this
candidate. A new candidate is being created, but the
description can't be written without mentioning this CAN.

LeBlanc> - if a KB article, bulletin, or patch can be found, then
I'll ACCEPT
Christey> This is the same as MS:MS01-012 (CAN-2001-0145)
See the Bugtraq post by Joel Moses:
http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2
As of this writing, it is not certain which candidate
should be preferred: the candidate that has been publicly
known longer (i.e. CAN-2000-0756), or the more "official"
candidate, which has probably been publicized more (i.e.
CAN-2001-0145).
Frech> XF:outlook-vcard-dos(5175)
XF:outlook-vcard-bo(6145)
Because there's another more recent CAN linked to @stake and
Microsoft's advisories, we'll link both of our records to both
candiates until a final decision occurs. If a decision has been made
to promote the CAN-2001 entry, then enter my vote as a REJECT for
CAN-2000-0756.
Frech> Replace outlook-vcard-bo(6145) with outlook-vcard-dos(5175)

Description: The sysgen service in Aptis Totalbill does not perform authentication,
which allows remote attackers to gain root privileges by connecting to
the service and specifying the commands to be executed.

Description: Jakarta Tomcat 3.1 under Apache reveals physical path information when
a remote attacker requests a URL that does not exist, which generates
an error message that includes the physical path.

Description: Buffer overflow in RobTex Viking server earlier than 1.06-370 allows
remote attackers to cause a denial of service or execute arbitrary
commands via a long HTTP GET request, or long Unless-Modified-Since,
If-Range, or If-Modified-Since headers.

Description: uagentsetup in ARCServeIT Client Agent 6.62 does not properly check
for the existence or ownership of a temporary file which is moved to
the the agent.cfg configuration file, which allows local users to
execute arbitrary commands by modifying the temporary file before it
is moved.

Description: String parsing error in rpc.kstatd in the linuxnfs or knfsd packages
in SuSE and possibly other Linux systems allows remote attackers to
gain root privileges.

Votes:

ACCEPT(1) Cole
MODIFY(2) Frech, Levy
NOOP(1) Wall
REJECT(1) Christey

Voter Comments:

Levy> This is the same as other Linux vendors statd format string problem.
Reference: BID 1480
Christey> If this is the same as the other statd format string problems,
then this is a duplicate of CAN-2000-0666.
Frech> XF:linux-rpcstatd-format-overwrite(4939)
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> OK, I agree that this is a dupe of CVE-2000-0666.
Here's why:
BUGTRAQ:20000803 SuSE Security: miscellaneous
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96540330329127&w=2
One statement says "The SuSE package containing rpc.kstatd
(other vendors named it rpc.statd)... An updated package is
currently being tested."

Description: The BAIR program does not properly restrict access to the Internet
Explorer Internet options menu, which allows local users to obtain
access to the menu by modifying the registry key that starts BAIR.

Description: The administration module in Sun Java web server allows remote
attackers to execute arbitrary commands by uploading Java code to the
module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet
by requesting a URL that begins with a /servlet/ tag.

Frech> XF:sunjava-webadmin-bbs(5135)
Levy> BID 1600
Frech> We also show this associated with CAN-2000-0629: The default
configuration of the Sun Java web server 2.0 and earlier allows remote
attackers to execute arbitrary commands by uploading Java code to the
server via board.html, then directly calling the JSP compiler
servlet. CVE web site concurs.
Christey> I think that Casper Dik confirmed that CAN-2000-0629 is a
configuration problem, and this one is a bug, so they are
different problems. I need to dig up that email, though...
Dik> CAN-2000-0629 indeed is about sample code which shouldn't
be run on prodution servers
This one is an actual bug and patches have been produced
for JWS 2.0 and 1.1.3

Description: Buffer overflow in the web authorization form of Mobius DocumentDirect
for the Internet 1.2 allows remote attackers to cause a denial of
service or execute arbitrary commands via a long username.

Frech> XF:htgrep-cgi-view-files(5476)
Collins> http://www.iam.unibe.ch/~scg/Src/Doc/
Christey> The change log for htgrep acknowledges the problem, but it
says that the qry tag is also affected. CD:SF-LOC says that
multiple problems of the same type in the same version should
be combined, so this candidate should get a "soft recast"
and qry should be added to the description.

Magdych> Unless the beta product is in very widespread use, or the product is in
"perpetual beta" (e.g. ICQ), I would prefer not to include beta software.
Christey> XF:sambar-search-view-folder
Frech> XF:sambar-search-view-folder(5247)
Baker> Unless we change our CD:EX-BETA, we should reject this entry. Perhaps we need to address the issue of Beta software again, but the previous discussion was pretty thorough and I believe the editorial board was unanimous in excluding normal beta software.
Christey> Fix typo: "paramater"

Frech> XF:sco-help-view-files(5226)
Christey> What is the proper "spelling" for the SCO help HTTP server?
I've seen it as "SCOhelp" and "scohelphttp" and "SCO help HTTP"
Christey> XF:sco-help-view-files

Description: The logging capability in muh 2.05d IRC server does not properly
cleanse user-injected format strings, which allows remote attackers to
cause a denial of service or execute arbitrary commands via a
malformed nickname.

Description: LPPlus creates the lpdprocess file with world-writeable permissions,
which allows local users to kill arbitrary processes by specifying an
alternate process ID and using the setuid dcclpdshut program to kill
the process that was specified in the lpdprocess file.

Description: The dccscan setuid program in LPPlus does not properly check if the
user has the permissions to print the file that is specified to
dccscan, which allows local users to print arbitrary files.

Description: Buffer overflows in Microsoft Network Monitor (Netmon) allow remote
attackers to execute arbitrary commands via a long Browser Name in a
CIFS Browse Frame, a long SNMP community name, or a long username or
filename in an SMB session, aka the "Netmon Protocol Parsing"
vulnerability. NOTE: It is highly likely that this candidate will be
split into multiple candidates.

Description: HTTP server on the WatchGuard SOHO firewall does not properly restrict
access to administrative functions such as password resets or
rebooting, which allows attackers to cause a denial of service or
conduct unauthorized activities.

Description: Small HTTP Server 2.01 does not properly process Server Side Includes
(SSI) tags that contain null values, which allows local users, and
possibly remote attackers, to cause the server to crash by inserting
the SSI into an HTML file.

Description: Small HTTP Server 2.01 allows remote attackers to cause a denial of
service by connecting to the server and sending out multiple GET,
HEAD, or POST requests and closing the connection before the server
responds to the requests.

Collins> Assigning CVE numbers for demo software is not appropriate
Baker> Was this a beta version in the demo disk? I don't think it was. While we do have an exclusion for beta software,
software that is distributed as production software, just limited in scope, does not mean beta..
The current version is 4, but it is still offered for free download from their website for use.

Christey> May be a duplicate of CVE-2000-0373, but the ref's in that CVE
are vague. I suspect this *isn't* a duplicate because this is
a format string problem.
Baker> I think it is sufficiently different from 2000-0373.

Description: Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote
attackers to cause a denial of service by repeatedly submitting a
nonstandard URL in the GET HTTP request and forcing it to restart.

Votes:

ACCEPT(2) Frech, Mell
NOOP(1) Cole
REJECT(1) Renaud

Voter Comments:

Renaud> SWAT makes this DoS easier to perform, but actually, it is an inetd
problem, not a swat problem.

Description: Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to
store usernames and passwords in the SNMP MIB, which allows an
attacker who knows the community name to crack the password and gain
privileges.

Description: Buffer overflow in ncurses library allows local users to execute
arbitrary commands via long environmental information such as TERM or
TERMINFO_DIRS.

Votes:

ACCEPT(2) Mell, Cole
MODIFY(1) Frech
REVIEWING(1) Christey

Voter Comments:

Christey> Various vendor writeups indicate that there are multiple
overflows, so maybe this needs to be SPLIT.
ADDREF FREEBSD:FreeBSD-SA-00:68
ADDREF DEBIAN:20001121 ncurses: local privilege escalation
http://www.debian.org/security/2000/20001121
ADDREF REDHAT:RHSA-2000:115
http://www.redhat.com/support/errata/RHSA-2000-115.html
BUGTRAQ:20001201 Immunix OS Security update for ncurses
http://marc.theaimsgroup.com/?l=bugtraq&m=97570745306444&w=2
Frech> XF:libmytinfo-bo(4422)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> This is all a library issue in which TERM/TERMINFO_DIRS are
one possible attack vector, but another is through entries
in the .terminfo file. Add .terminfo and termcap to the
description, as well as libncurses.
ADDREF MANDRAKE:MDKSA-2001:052
URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-052.php3
Now need to examine whether this is a dupe of CAN-2002-0062,
and/or BID:2116. There's certainly enough confusion to go
around.
CHANGE> [Christey changed vote from REVIEWING to NOOP]
Christey> This is not a dupe of CAN-2002-0062. As explained in
DEBIAN:DSA-113, the original patches for CAN-2000-0963
didn't catch every problem.
ADDREF SUSE:SuSE-SA:2000:043
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97267560724404&w=2
CHANGE> [Christey changed vote from NOOP to REVIEWING]

Description: Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain
privileges via a long "connect" command line parameter.

Votes:

ACCEPT(3) Frech, Mell, Cole
NOOP(2) Christey, Armstrong

Voter Comments:

Christey> http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
appears to be a rediscovery of this problem.
Christey> It looks like Juan Manuel Pascual Escriba saw this issue
in a later version and re-posted, but that later post doesn't
mention the earlier one. The exploit is almost exactly the
same, but the affected version is 8.1.7.
ADDREF BUGTRAQ:20001221 vulnerability #1 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
ADDREF BUGTRAQ:20010118 Patch for Potential Buffer Overflow Vulnerabilities in Oracle Internet Directory
http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html

Description: PalmOS 3.5.2 and earlier uses weak encryption to store the user
password, which allows attackers with physical access to the Palm
device to decrypt the password and gain access to the device.

Description: dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH
environmental variable, which allows local users to obtain root
privileges by modifying the RSH variable to point to a Trojan horse
program.

Description: The default configuration of Slashcode before version 2.0 Alpha has a
default administrative password, which allows remote attackers to gain
Slashcode priviliges and possibly execute arbitrary commands.

Description: eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier,
allows remote attackers to cause a denial of service via a URL that
contains the "/servlet/" string, which invokes the ServletExec servlet
and causes an exception if the servlet is already running.

Description: Serv-U FTP Server allows remote attackers to bypass its anti-hammering
feature by first logging on as a valid user (possibly anonymous) and
then attempting to guess the passwords of other users.

Description: Various TCP/IP stacks and network applications allow remote attackers
to cause a denial of service by flooding a target host with TCP
connection attempts and completing the TCP/IP handshake without
maintaining the connection state on the attacker host, aka the
"NAPTHA" class of vulnerabilities. NOTE: this candidate may change
significantly as the security community discusses the technical
nature of NAPTHA and learns more about the affected applications.
This candidate is at a higher level of abstraction than is typical for
CVE.

Baker> Although this is at a high level, the fact is that it is a vulnerability, and as such we need to recognize this, even if we have to recast or modify the description at some later time.
Christey> This needs to be commented on and reviewed by many Board
members.
Frech> XF:naptha-resource-starvation(5810)
Christey> ADDREF SGI:20020304-01-A
Christey> SGI:20020304-01-A

Description: Buffer overflows in ESMTP service of Lotus Domino 5.0.2c and earlier
allows remote attackers to cause a denial of service and possibly
execute arbitrary commands via a long "RCPT TO," "SAML FROM," or "SOML
FROM" command.

Description: Directory traversal vulnerability in the logfile service of Wingate
4.1 Beta A and earlier allows remote attackers to read arbitrary files
via a .. (dot dot) attack via an HTTP GET request that uses encoded
characters in the URL.

Description: Netscape (iPlanet) Certificate Management System 4.2 and Directory
Server 4.12 stores the administrative password in plaintext, which
could allow local and possibly remote attackers to gain administrative
privileges on the server.

Votes:

ACCEPT(3) Baker, Frech, Mell
NOOP(2) Cole, Christey

Voter Comments:

Christey> Partial vendor acknowledgement at:
http://docs.iplanet.com/docs/manuals/cms/42/relnotes/release_notes.html
"By default, Administration Server administrator's password
(also known as the SIE password) is stored in clear text in the
adm.conf file.
This does not usually pose a security threat because most
administrators use their Operating System's security features to
ensure that the file is protected from other users."

Description: The xp_displayparamstmt function in SQL Server and Microsoft SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Description: The xp_enumresultset function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Description: The xp_showcolv function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Description: The xp_updatecolvbm function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Description: The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)

Description: The xp_printstatements function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)

Description: The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)

Description: The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)

LeBlanc> Fixed in SP2 for Win2K. NT 4.0 is not affected. bulletin
MS99-022
Christey> Need to add the Bugtraq references for this.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Is this really the same problem addressed by MS99-022,
which is covered by CVE-1999-0725 ?

Description: loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote
attackers to list and read files in the EZshopper data directory by
inserting a "/" in front of the target filename in the "file"
parameter.

Frech> XF:aim-remote-bo(5732)
Christey> CD:SF-LOC as currently written suggests merging this with
CVE-2000-1094, since both describe buffer overflows in the
same software version.
Christey> Consider adding BID:2118

Description: The default configuration for PostACI webmail system installs the
/includes/global.inc configuration file within the web root, which
allows remote attackers to read sensitive information such as database
usernames and passwords via a direct HTTP GET request.

Description: rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before
executing a script, which allows local attackers to gain privileges by
specifying an alternate Trojan horse script on the command line.

Description: Variant of the "IIS Cross-Site Scripting" vulnerability as originally
discussed in MS:MS00-060 (CAN-2000-0746) allows a malicious web site
operator to embed scripts in a link to a trusted site, which are
returned without quoting in an error message back to the client. The
client then executes those scripts in the same context as the trusted
site.

Description: The ixsso.query ActiveX Object is marked as safe for scripting, which
allows malicious web site operators to embed a script that remotely
determines the existence of files on visiting Windows 2000 systems
that have Indexing Services enabled.

Description: The Extended Control List (ECL) feature of the Java Virtual Machine
(JVM) in Lotus Notes Client R5 allows malicious web site operators to
determine the existence of files on the client by measuring delays in
the execution of the getSystemResource method.

Description: restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname
specified by the RSH environmental variable, which allows local users
to obtain root privileges by modifying the RSH variable to point to a
Trojan horse program.

Description: registrar in the HP resource monitor service allows local users to
read and modify arbitrary files by renaming the original registrar.log
log file and creating a symbolic link to the target file, to which
registrar appends log information and sets the permissions to be world
readable.

Description: The default configuration of McAfee VirusScan 4.5 does not quote the
ImagePath variable, which improperly sets the search path and allows
local users to place a Trojan horse "common.exe" program in the
C:\Program Files directory.

Frech> XF:linux-bash-tmp-symlink(5593)
Christey> Don't all these shell programs originate from the same
codebase, including ksh? If so, we should have a single CAN
for all of these, and add:
XF:ksh-redirection-symlink
URL:http://xforce.iss.net/static/5811.php
CONECTIVA:CLA-2000:354
BUGTRAQ:20001208 Immunix OS Security update for tcsh
http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0041.html
BUGTRAQ:20001220 /bin/ksh creates insecure tmp files
http://archives.neohapsis.com/archives/bugtraq/2000-12/0368.html
BUGTRAQ:20001227 IBM Findings: Korn Shell Redirection Race Condition Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2000-12/0473.html
Also see: http://archives.neohapsis.com/archives/bugtraq/2000-12/0420.html
which gives some shell history which may be of use.
Christey> ADDREF FREEBSD:FreeBSD-SA-01:03 for the bash problem.
Christey> Consider adding BID:2148 if this CAN should include ksh
Christey> SGI:20011103-01-I
URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I
Also, DELREF BID:2148 and BID:1926. Keep BID:2006
Christey> COMPAQ:SSRT1-41U
URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0742U-59U.shtml
CERT-VN:VU#10277
URL:http://www.kb.cert.org/vuls/id/10277
Christey> SGI:20011103-02-P
URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P
Note that this is an update of the other SGI reference.
Christey> CALDERA:CSSA-2001-SCO.24
URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24.1/CSSA-2001-SCO.24.1.txt
CERT-VN:VU#10277
URL:http://www.kb.cert.org/vuls/id/10277
Christey> Missing BID - BID:1926

Description: Lotus Notes R5 client R5.0.5 and earlier does not properly warn users
when an S/MIME email message has been modified, which could allow an
attacker to modify the email in transit without being detected.

Frech> XF:iis-isapi-asp-bo(5510)
Christey> Consult Microsoft on this one.
LeBlanc> This one was already fixed in several hotfixes when it was
found. I'm not sure what the content decision is on this. It is a valid
problem, but it was already fixed when announced. I will go along with
an accept vote once it is modified to show fixes.

Description: The installation of AdCycle banner management system leaves the
build.cgi program in a web-accessible directory, which allows remote
attackers to execute the program and view passwords or delete
databases.

Description: Microsys CyberPatrol uses weak encryption (trivial encoding) for
credit card numbers and uses no encryption for the remainder of the
information during registration, which could allow attackers to sniff
network traffic and obtain this sensitive information.

Description: htsearch program in htDig 3.2 beta, 3.1.5, and earlier allows remote
attackers to determine the physical path of the server by requesting a
non-existent configuration file using the config parameter, which
generates an error message that includes the full path.

Description: POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and
other operating systems creates lock files with predictable names,
which allows local users to cause a denial of service (lack of mail
access) for other users by creating lock files for other mail boxes.

Description: qpopper POP server creates lock files with predictable names, which
allows local users to cause a denial of service for other users (lack
of mail access) by creating lock files for other mail boxes.

Description: ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable
to include the user's own CLASSPATH directories before the system's
directories, which allows a malicious local user to execute arbitrary
code as root via a Trojan horse Ikeyman class.

Description: Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to
cause a denial of service (CPU consumption) by forging an email
message with the sender as bounce@[127.0.0.1] (localhost), which
causes Domino to enter a mail loop.

Green> Since a work around involving configuration settings exists the presenting problem should also exist.
Frech> XF:lotus-domino-bounced-message-dos(7012)
CONFIRM:
http://www-1.ibm.com/support/docview.wss?rs=0&org=sims&doc=DA18AA221C3
B982085256B84000033EB
Christey> The CONFIRM URL provided by Andre is broken

Description: Vulnerability in the mod_vhost_alias virtual hosting module for Apache
1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source
code for CGI programs if the cgi-bin directory is under the document
root.

Description: Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11
allow remote attackers to execute script as other web site visitors
via (1) the printenv CGI, which does not encode its output, (2) pages
generated by the ap_send_error_response function such as a default
404, which does not add an explicit charset, or (3) various messages
that are generated by certain Apache modules or core code.

Description: userhelper in the usermode package on Red Hat Linux executes
non-setuid programs as root, which does not activate the security
measures in glibc and allows the programs to be exploited via format
string vulnerabilities in glibc via the LANG or LC_ALL environment
variables (CVE-2000-0844).

Description: The "sa" account is installed with a default null password on (1)
Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine
(MSDE) 1.0, including third party packages that use these products
such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager,
and (6) Visio 2000, are installed with a default "sa" account with a
null password, which allows remote attackers to gain privileges,
including worms such as Voyager Alpha Force and Spida.

Description: ping in iputils before 20001010, as distributed on Red Hat Linux 6.2
through 7J and other operating systems, does not drop privileges after
acquiring a raw socket, which increases ping's exposure to bugs that
otherwise would occur at lower privileges.

Description: Buffer overflows in the (1) outpack or (2) buf variables of ping in
iputils before 20001010, as distributed on Red Hat Linux 6.2 through
7J and other operating systems, may allow local users to gain
privileges.

Description: mod_sqlpw module in ProFTPD does not reset a cached password when a
user uses the "user" command to change accounts, which allows authenticated
attackers to gain privileges of other users.

Description: Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other
versions) allows remote attackers to execute arbitrary commands via a
long host or domain name that is obtained from a reverse DNS lookup.

Votes:

ACCEPT(2) Cole, Baker
MODIFY(1) Frech
NOOP(3) Christey, Ziese, Wall

Voter Comments:

Frech> XF:oops-dns-bo(6122)
Christey> This looks like a different overflow than the one described
in the original post at:
http://archives.neohapsis.com/archives/bugtraq/2000-12/0127.html
The vendor does acknowledge *that* problem in the 1.5.0
comments of
http://zipper.paco.net/~igor/oops/ChangeLog
Christey> Vendor fixed this problem between 1.4.22 and 1.5.5, based
on a source code comparison.
CD:SF-LOC says that bugs of the same type, that appear in
different versions, must be SPLIT. Therefore this should
stay separate from CVE-2001-0028.
Change MISC to CONFIRM. The comments for version 1.5.4
say "more sprintf/strncpy fixes" and that's the type of
changes that were made in lib.c, the code that was listed
in the Bugtraq post for this CAN.

Description: The default permissions for the RAS Administration key in Windows NT
4.0 allows local users to execute arbitrary commands by changing the
value to point to a malicious DLL, aka one of the "Registry
Permissions" vulnerabilities.

Description: The installation of J-Pilot creates the .jpilot directory with the
user's umask, which could allow local attackers to read other users'
PalmOS backup information if their umasks are not securely set.

Description: register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers
to execute arbitrary commands via the SEND_MAIL parameter, which
overwrites an internal program variable that references a program to
be executed.

Description: GTK+ library allows local users to specify arbitrary modules via the
GTK_MODULES environmental variable, which could allow local users to
gain privileges if GTK+ is used by a setuid/setgid program.

Description: itetris/xitetris 1.6.2 and earlier trusts the PATH environmental
variable to find and execute the gunzip program, which allows local
users to gain root privileges by changing their PATH so that it points
to a malicious gunzip program.

Description: common.inc.php in phpWebLog 0.4.2 does not properly initialize the
$CONF array, which inadvertently sets the password to a single
character, allowing remote attackers to easily guess the SiteKey and
gain administrative privileges to phpWebLog.

Frech> XF:kerberos4-arbitrary-proxy(9733)
Description states FreeBSD, but advisory is for NetBSD.
Prosser> http://www.linuxsecurity.com/advisories/netbsd_advisory-1007.html
CHANGE> [Prosser changed vote from ACCEPT to MODIFY]
Prosser> The operating system in this CAN should also be NetBSD vice FreeBSD, same as in 0094. FreeBSD 3.5 STABLE and 4.2 STABLE are vulnerable as well. See ref
FreeBSD-SA-01:25
http://www.linuxsecurity.com/advisories/freebsd_advisory-1153.html
or http://www.freebsd.org/security/security.html#adv
Christey> This description does not explicitly mention that the problem is
in a kerberized telnet. Need to verify that there aren't
already other CVE's that describe this.

Description: The Web interface for Infinite Interchange 3.6.1 allows remote
attackers to cause a denial of service (application crash) via a large
POST request.

Votes:

ACCEPT(1) Frech
NOOP(3) Cole, Ziese, Wall

Voter Comments:

Frech> Version is listed as 3.61 (see
http://support.infinite.com/kb/648.asp)
Also, vendor seems to have issued a verification (see above
document):
- - WebMail: Fix for an exception error triggered by a POST request
with
an extremely long garbage URL. (v3.61.08)

Description: "Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain
Owner privileges by removing the Users & Groups Data File, which
effectively removes the Owner password and allows the Normal user to
log in as the Owner account without a password.

Christey> XF:omnihttpd-statsconfig-corrupt-files
URL:http://xforce.iss.net/static/5955.php
Frech> XF:omnihttpd-statsconfig-corrupt-files(5955)
Christey> MISC:http://www.omnicron.ca/httpd/docs/release.html
May be vague acknowledgement; need to ask
mailto:support@omnicron.ca?subject=OmniHTTPd Technical Support
(and ask them about the other OmniHTTP issues as well)

Frech> XF:linux-apache-symlink(5926)
Christey> XF:linux-apache-symlink
URL:http://xforce.iss.net/static/5926.php
Christey> http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html
Christey> This item may have been re-introduced into the Apache source
code sometime during 2002; CAN-2002-1233 has been created for
that version, which affects Apache 1.3.27 and other versions.
Christey> As a further clarification, CAN-2002-1233 is *only* for the
Debian-specific regression error.
Christey> DEBIAN:DSA-195
URL:http://www.debian.org/security/2002/dsa-195

Description: The web administration interface for Interscan VirusWall 3.6.x and
earlier does not use encryption, which could allow remote attackers to
obtain the administrator password to sniff the administrator password
via the setpasswd.cgi program or other HTTP GET requests that contain
base64 encoded usernames and passwords.